1 diff -urNp linux-2.6.16.12/arch/alpha/kernel/module.c linux-2.6.16.12/arch/alpha/kernel/module.c
2 --- linux-2.6.16.12/arch/alpha/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
3 +++ linux-2.6.16.12/arch/alpha/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
4 @@ -177,7 +177,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
6 /* The small sections were sorted to the end of the segment.
7 The following should definitely cover them. */
8 - gp = (u64)me->module_core + me->core_size - 0x8000;
9 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
10 got = sechdrs[me->arch.gotsecindex].sh_addr;
12 for (i = 0; i < n; i++) {
13 diff -urNp linux-2.6.16.12/arch/alpha/kernel/osf_sys.c linux-2.6.16.12/arch/alpha/kernel/osf_sys.c
14 --- linux-2.6.16.12/arch/alpha/kernel/osf_sys.c 2006-05-01 15:14:26.000000000 -0400
15 +++ linux-2.6.16.12/arch/alpha/kernel/osf_sys.c 2006-05-01 20:17:33.000000000 -0400
16 @@ -1274,6 +1274,10 @@ arch_get_unmapped_area(struct file *filp
17 merely specific addresses, but regions of memory -- perhaps
18 this feature should be incorporated into all ports? */
20 +#ifdef CONFIG_PAX_RANDMMAP
21 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
25 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
26 if (addr != (unsigned long) -ENOMEM)
27 @@ -1281,8 +1285,8 @@ arch_get_unmapped_area(struct file *filp
30 /* Next, try allocating at TASK_UNMAPPED_BASE. */
31 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
33 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
35 if (addr != (unsigned long) -ENOMEM)
38 diff -urNp linux-2.6.16.12/arch/alpha/kernel/ptrace.c linux-2.6.16.12/arch/alpha/kernel/ptrace.c
39 --- linux-2.6.16.12/arch/alpha/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
40 +++ linux-2.6.16.12/arch/alpha/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
42 #include <linux/slab.h>
43 #include <linux/security.h>
44 #include <linux/signal.h>
45 +#include <linux/grsecurity.h>
47 #include <asm/uaccess.h>
48 #include <asm/pgtable.h>
49 @@ -267,7 +268,7 @@ do_sys_ptrace(long request, long pid, lo
50 struct task_struct *child;
57 DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n",
58 @@ -288,6 +289,9 @@ do_sys_ptrace(long request, long pid, lo
62 + if (gr_handle_ptrace(child, request))
65 if (request == PTRACE_ATTACH) {
66 ret = ptrace_attach(child);
68 diff -urNp linux-2.6.16.12/arch/alpha/mm/fault.c linux-2.6.16.12/arch/alpha/mm/fault.c
69 --- linux-2.6.16.12/arch/alpha/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
70 +++ linux-2.6.16.12/arch/alpha/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
72 #include <linux/smp_lock.h>
73 #include <linux/interrupt.h>
74 #include <linux/module.h>
75 +#include <linux/binfmts.h>
77 #include <asm/system.h>
78 #include <asm/uaccess.h>
79 @@ -56,6 +57,124 @@ __load_new_mm_context(struct mm_struct *
83 +#ifdef CONFIG_PAX_PAGEEXEC
85 + * PaX: decide what to do with offenders (regs->pc = fault address)
87 + * returns 1 when task should be killed
88 + * 2 when patched PLT trampoline was detected
89 + * 3 when unpatched PLT trampoline was detected
91 +static int pax_handle_fetch_fault(struct pt_regs *regs)
94 +#ifdef CONFIG_PAX_EMUPLT
97 + do { /* PaX: patched PLT emulation #1 */
98 + unsigned int ldah, ldq, jmp;
100 + err = get_user(ldah, (unsigned int *)regs->pc);
101 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
102 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
107 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
108 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
109 + jmp == 0x6BFB0000U)
111 + unsigned long r27, addr;
112 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
113 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
115 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
116 + err = get_user(r27, (unsigned long*)addr);
126 + do { /* PaX: patched PLT emulation #2 */
127 + unsigned int ldah, lda, br;
129 + err = get_user(ldah, (unsigned int *)regs->pc);
130 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
131 + err |= get_user(br, (unsigned int *)(regs->pc+8));
136 + if ((ldah & 0xFFFF0000U)== 0x277B0000U &&
137 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
138 + (br & 0xFFE00000U) == 0xC3E00000U)
140 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
141 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
142 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
144 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
145 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
150 + do { /* PaX: unpatched PLT emulation */
153 + err = get_user(br, (unsigned int *)regs->pc);
155 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
156 + unsigned int br2, ldq, nop, jmp;
157 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
159 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
160 + err = get_user(br2, (unsigned int *)addr);
161 + err |= get_user(ldq, (unsigned int *)(addr+4));
162 + err |= get_user(nop, (unsigned int *)(addr+8));
163 + err |= get_user(jmp, (unsigned int *)(addr+12));
164 + err |= get_user(resolver, (unsigned long *)(addr+16));
169 + if (br2 == 0xC3600000U &&
170 + ldq == 0xA77B000CU &&
171 + nop == 0x47FF041FU &&
172 + jmp == 0x6B7B0000U)
174 + regs->r28 = regs->pc+4;
175 + regs->r27 = addr+16;
176 + regs->pc = resolver;
186 +void pax_report_insns(void *pc, void *sp)
190 + printk(KERN_ERR "PAX: bytes at PC: ");
191 + for (i = 0; i < 5; i++) {
193 + if (get_user(c, (unsigned int*)pc+i))
194 + printk("???????? ");
196 + printk("%08x ", c);
203 * This routine handles page faults. It determines the address,
204 @@ -133,8 +252,29 @@ do_page_fault(unsigned long address, uns
206 si_code = SEGV_ACCERR;
208 - if (!(vma->vm_flags & VM_EXEC))
209 + if (!(vma->vm_flags & VM_EXEC)) {
211 +#ifdef CONFIG_PAX_PAGEEXEC
212 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
215 + up_read(&mm->mmap_sem);
216 + switch(pax_handle_fetch_fault(regs)) {
218 +#ifdef CONFIG_PAX_EMUPLT
225 + pax_report_fault(regs, (void*)regs->pc, (void*)rdusp());
233 /* Allow reads even for write-only mappings */
234 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
235 diff -urNp linux-2.6.16.12/arch/arm/mm/mmap.c linux-2.6.16.12/arch/arm/mm/mmap.c
236 --- linux-2.6.16.12/arch/arm/mm/mmap.c 2006-05-01 15:14:26.000000000 -0400
237 +++ linux-2.6.16.12/arch/arm/mm/mmap.c 2006-05-01 20:17:33.000000000 -0400
238 @@ -62,6 +62,10 @@ arch_get_unmapped_area(struct file *filp
242 +#ifdef CONFIG_PAX_RANDMMAP
243 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
248 addr = COLOUR_ALIGN(addr, pgoff);
249 @@ -76,7 +80,7 @@ arch_get_unmapped_area(struct file *filp
250 if (len > mm->cached_hole_size) {
251 start_addr = addr = mm->free_area_cache;
253 - start_addr = addr = TASK_UNMAPPED_BASE;
254 + start_addr = addr = mm->mmap_base;
255 mm->cached_hole_size = 0;
258 @@ -93,8 +97,8 @@ full_search:
259 * Start a new search - just in case we missed
262 - if (start_addr != TASK_UNMAPPED_BASE) {
263 - start_addr = addr = TASK_UNMAPPED_BASE;
264 + if (start_addr != mm->mmap_base) {
265 + start_addr = addr = mm->mmap_base;
266 mm->cached_hole_size = 0;
269 diff -urNp linux-2.6.16.12/arch/i386/boot/compressed/head.S linux-2.6.16.12/arch/i386/boot/compressed/head.S
270 --- linux-2.6.16.12/arch/i386/boot/compressed/head.S 2006-05-01 15:14:26.000000000 -0400
271 +++ linux-2.6.16.12/arch/i386/boot/compressed/head.S 2006-05-01 20:17:33.000000000 -0400
272 @@ -39,11 +39,13 @@ startup_32:
278 1: incl %eax # check that A20 really IS enabled
279 movl %eax,0x000000 # loop forever if it isn't
285 * Initialize eflags. Some BIOS's leave bits like NT set. This would
286 diff -urNp linux-2.6.16.12/arch/i386/Kconfig linux-2.6.16.12/arch/i386/Kconfig
287 --- linux-2.6.16.12/arch/i386/Kconfig 2006-05-01 15:14:26.000000000 -0400
288 +++ linux-2.6.16.12/arch/i386/Kconfig 2006-05-01 20:17:33.000000000 -0400
289 @@ -983,7 +983,7 @@ endchoice
293 - depends on !X86_VISWS && PCI && (PCI_GOBIOS || PCI_GOANY)
294 + depends on !X86_VISWS && PCI && PCI_GOBIOS
298 diff -urNp linux-2.6.16.12/arch/i386/Kconfig.cpu linux-2.6.16.12/arch/i386/Kconfig.cpu
299 --- linux-2.6.16.12/arch/i386/Kconfig.cpu 2006-05-01 15:14:26.000000000 -0400
300 +++ linux-2.6.16.12/arch/i386/Kconfig.cpu 2006-05-01 20:17:33.000000000 -0400
301 @@ -251,7 +251,7 @@ config X86_PPRO_FENCE
305 - depends on M586MMX || M586TSC || M586 || M486 || M386
306 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
309 config X86_WP_WORKS_OK
310 @@ -281,7 +281,7 @@ config X86_CMPXCHG64
312 config X86_ALIGNMENT_16
314 - depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
315 + depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
319 diff -urNp linux-2.6.16.12/arch/i386/Kconfig.debug linux-2.6.16.12/arch/i386/Kconfig.debug
320 --- linux-2.6.16.12/arch/i386/Kconfig.debug 2006-05-01 15:14:26.000000000 -0400
321 +++ linux-2.6.16.12/arch/i386/Kconfig.debug 2006-05-01 20:17:33.000000000 -0400
322 @@ -44,7 +44,7 @@ config DEBUG_PAGEALLOC
325 bool "Write protect kernel read-only data structures"
326 - depends on DEBUG_KERNEL
327 + depends on DEBUG_KERNEL && 0
329 Mark the kernel read-only data as write-protected in the pagetables,
330 in order to catch accidental (and incorrect) writes to such const
331 diff -urNp linux-2.6.16.12/arch/i386/kernel/acpi/sleep.c linux-2.6.16.12/arch/i386/kernel/acpi/sleep.c
332 --- linux-2.6.16.12/arch/i386/kernel/acpi/sleep.c 2006-05-01 15:14:26.000000000 -0400
333 +++ linux-2.6.16.12/arch/i386/kernel/acpi/sleep.c 2006-05-01 20:17:33.000000000 -0400
335 #include <linux/dmi.h>
337 #include <asm/tlbflush.h>
338 +#include <asm/desc.h>
340 /* address in low memory of the wakeup routine. */
341 unsigned long acpi_wakeup_address = 0;
342 @@ -24,11 +25,22 @@ static void init_low_mapping(pgd_t * pgd
346 +#ifdef CONFIG_PAX_KERNEXEC
349 + pax_open_kernel(cr0);
352 while ((pgd_ofs < pgd_limit)
353 && (pgd_ofs + USER_PTRS_PER_PGD < PTRS_PER_PGD)) {
354 set_pgd(pgd, *(pgd + USER_PTRS_PER_PGD));
358 +#ifdef CONFIG_PAX_KERNEXEC
359 + pax_close_kernel(cr0);
365 @@ -55,7 +67,18 @@ int acpi_save_state_mem(void)
367 void acpi_restore_state_mem(void)
369 +#ifdef CONFIG_PAX_KERNEXEC
372 + pax_open_kernel(cr0);
377 +#ifdef CONFIG_PAX_KERNEXEC
378 + pax_close_kernel(cr0);
384 diff -urNp linux-2.6.16.12/arch/i386/kernel/apic.c linux-2.6.16.12/arch/i386/kernel/apic.c
385 --- linux-2.6.16.12/arch/i386/kernel/apic.c 2006-05-01 15:14:26.000000000 -0400
386 +++ linux-2.6.16.12/arch/i386/kernel/apic.c 2006-05-01 20:17:33.000000000 -0400
387 @@ -1150,7 +1150,7 @@ inline void smp_local_timer_interrupt(st
389 profile_tick(CPU_PROFILING, regs);
391 - update_process_times(user_mode_vm(regs));
392 + update_process_times(user_mode(regs));
396 diff -urNp linux-2.6.16.12/arch/i386/kernel/apm.c linux-2.6.16.12/arch/i386/kernel/apm.c
397 --- linux-2.6.16.12/arch/i386/kernel/apm.c 2006-05-01 15:14:26.000000000 -0400
398 +++ linux-2.6.16.12/arch/i386/kernel/apm.c 2006-05-01 20:17:33.000000000 -0400
399 @@ -589,9 +589,18 @@ static u8 apm_bios_call(u32 func, u32 eb
400 struct desc_struct save_desc_40;
401 struct desc_struct *gdt;
403 +#ifdef CONFIG_PAX_KERNEXEC
407 cpus = apm_save_cpus();
411 +#ifdef CONFIG_PAX_KERNEXEC
412 + pax_open_kernel(cr0);
415 gdt = get_cpu_gdt_table(cpu);
416 save_desc_40 = gdt[0x40 / 8];
417 gdt[0x40 / 8] = bad_bios_desc;
418 @@ -603,6 +612,11 @@ static u8 apm_bios_call(u32 func, u32 eb
420 local_irq_restore(flags);
421 gdt[0x40 / 8] = save_desc_40;
423 +#ifdef CONFIG_PAX_KERNEXEC
424 + pax_close_kernel(cr0);
428 apm_restore_cpus(cpus);
430 @@ -633,9 +647,18 @@ static u8 apm_bios_call_simple(u32 func,
431 struct desc_struct save_desc_40;
432 struct desc_struct *gdt;
434 +#ifdef CONFIG_PAX_KERNEXEC
438 cpus = apm_save_cpus();
442 +#ifdef CONFIG_PAX_KERNEXEC
443 + pax_open_kernel(cr0);
446 gdt = get_cpu_gdt_table(cpu);
447 save_desc_40 = gdt[0x40 / 8];
448 gdt[0x40 / 8] = bad_bios_desc;
449 @@ -647,6 +670,11 @@ static u8 apm_bios_call_simple(u32 func,
451 local_irq_restore(flags);
452 gdt[0x40 / 8] = save_desc_40;
454 +#ifdef CONFIG_PAX_KERNEXEC
455 + pax_close_kernel(cr0);
459 apm_restore_cpus(cpus);
461 diff -urNp linux-2.6.16.12/arch/i386/kernel/asm-offsets.c linux-2.6.16.12/arch/i386/kernel/asm-offsets.c
462 --- linux-2.6.16.12/arch/i386/kernel/asm-offsets.c 2006-05-01 15:14:26.000000000 -0400
463 +++ linux-2.6.16.12/arch/i386/kernel/asm-offsets.c 2006-05-01 20:17:33.000000000 -0400
464 @@ -68,5 +68,6 @@ void foo(void)
465 sizeof(struct tss_struct));
467 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
468 + DEFINE(PTRS_PER_PTE_asm, PTRS_PER_PTE);
469 DEFINE(VSYSCALL_BASE, __fix_to_virt(FIX_VSYSCALL));
471 diff -urNp linux-2.6.16.12/arch/i386/kernel/cpu/common.c linux-2.6.16.12/arch/i386/kernel/cpu/common.c
472 --- linux-2.6.16.12/arch/i386/kernel/cpu/common.c 2006-05-01 15:14:26.000000000 -0400
473 +++ linux-2.6.16.12/arch/i386/kernel/cpu/common.c 2006-05-01 20:17:33.000000000 -0400
475 #include <linux/smp.h>
476 #include <linux/module.h>
477 #include <linux/percpu.h>
478 -#include <linux/bootmem.h>
479 #include <asm/semaphore.h>
480 #include <asm/processor.h>
481 #include <asm/i387.h>
486 -DEFINE_PER_CPU(struct Xgt_desc_struct, cpu_gdt_descr);
487 -EXPORT_PER_CPU_SYMBOL(cpu_gdt_descr);
489 DEFINE_PER_CPU(unsigned char, cpu_16bit_stack[CPU_16BIT_STACK_SIZE]);
490 EXPORT_PER_CPU_SYMBOL(cpu_16bit_stack);
492 @@ -387,6 +383,10 @@ void __devinit identify_cpu(struct cpuin
493 if (this_cpu->c_init)
496 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_NOVSYSCALL)
497 + clear_bit(X86_FEATURE_SEP, c->x86_capability);
500 /* Disable the PN if appropriate */
501 squash_the_stupid_serial_number(c);
503 @@ -573,11 +573,10 @@ void __init early_cpu_init(void)
504 void __devinit cpu_init(void)
506 int cpu = smp_processor_id();
507 - struct tss_struct * t = &per_cpu(init_tss, cpu);
508 + struct tss_struct * t = init_tss + cpu;
509 struct thread_struct *thread = ¤t->thread;
510 - struct desc_struct *gdt;
511 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
512 __u32 stk16_off = (__u32)&per_cpu(cpu_16bit_stack, cpu);
513 - struct Xgt_desc_struct *cpu_gdt_descr = &per_cpu(cpu_gdt_descr, cpu);
515 if (cpu_test_and_set(cpu, cpu_initialized)) {
516 printk(KERN_WARNING "CPU#%d already initialized!\n", cpu);
517 @@ -595,29 +594,11 @@ void __devinit cpu_init(void)
521 - * This is a horrible hack to allocate the GDT. The problem
522 - * is that cpu_init() is called really early for the boot CPU
523 - * (and hence needs bootmem) but much later for the secondary
524 - * CPUs, when bootmem will have gone away
526 - if (NODE_DATA(0)->bdata->node_bootmem_map) {
527 - gdt = (struct desc_struct *)alloc_bootmem_pages(PAGE_SIZE);
528 - /* alloc_bootmem_pages panics on failure, so no check */
529 - memset(gdt, 0, PAGE_SIZE);
531 - gdt = (struct desc_struct *)get_zeroed_page(GFP_KERNEL);
532 - if (unlikely(!gdt)) {
533 - printk(KERN_CRIT "CPU%d failed to allocate GDT\n", cpu);
535 - local_irq_enable();
540 * Initialize the per-CPU GDT with the boot GDT,
541 * and set up the GDT descriptor:
543 - memcpy(gdt, cpu_gdt_table, GDT_SIZE);
545 + memcpy(gdt, cpu_gdt_table, GDT_SIZE);
547 /* Set up GDT entry for 16bit stack */
548 *(__u64 *)(&gdt[GDT_ENTRY_ESPFIX_SS]) |=
549 @@ -625,10 +606,10 @@ void __devinit cpu_init(void)
550 ((((__u64)stk16_off) << 32) & 0xff00000000000000ULL) |
551 (CPU_16BIT_STACK_SIZE - 1);
553 - cpu_gdt_descr->size = GDT_SIZE - 1;
554 - cpu_gdt_descr->address = (unsigned long)gdt;
555 + cpu_gdt_descr[cpu].size = GDT_SIZE - 1;
556 + cpu_gdt_descr[cpu].address = (unsigned long)gdt;
558 - load_gdt(cpu_gdt_descr);
559 + load_gdt(&cpu_gdt_descr[cpu]);
560 load_idt(&idt_descr);
563 @@ -643,7 +624,7 @@ void __devinit cpu_init(void)
564 load_esp0(t, thread);
567 - load_LDT(&init_mm.context);
568 + _load_LDT(&init_mm.context);
570 #ifdef CONFIG_DOUBLEFAULT
571 /* Set up doublefault TSS pointer in the GDT */
572 diff -urNp linux-2.6.16.12/arch/i386/kernel/doublefault.c linux-2.6.16.12/arch/i386/kernel/doublefault.c
573 --- linux-2.6.16.12/arch/i386/kernel/doublefault.c 2006-05-01 15:14:26.000000000 -0400
574 +++ linux-2.6.16.12/arch/i386/kernel/doublefault.c 2006-05-01 20:17:33.000000000 -0400
577 #define DOUBLEFAULT_STACKSIZE (1024)
578 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
579 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
580 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
582 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + 0x1000000)
584 diff -urNp linux-2.6.16.12/arch/i386/kernel/efi.c linux-2.6.16.12/arch/i386/kernel/efi.c
585 --- linux-2.6.16.12/arch/i386/kernel/efi.c 2006-05-01 15:14:26.000000000 -0400
586 +++ linux-2.6.16.12/arch/i386/kernel/efi.c 2006-05-01 20:17:33.000000000 -0400
587 @@ -64,82 +64,58 @@ extern void * boot_ioremap(unsigned long
589 static unsigned long efi_rt_eflags;
590 static DEFINE_SPINLOCK(efi_rt_lock);
591 -static pgd_t efi_bak_pg_dir_pointer[2];
592 +static pgd_t __initdata efi_bak_pg_dir_pointer[4];
594 -static void efi_call_phys_prelog(void)
595 +static void __init efi_call_phys_prelog(void)
598 - unsigned long temp;
599 - struct Xgt_desc_struct *cpu_gdt_descr;
601 spin_lock(&efi_rt_lock);
602 local_irq_save(efi_rt_eflags);
604 - cpu_gdt_descr = &per_cpu(cpu_gdt_descr, 0);
605 + efi_bak_pg_dir_pointer[0] = swapper_pg_dir[0];
606 + swapper_pg_dir[0] = swapper_pg_dir[USER_PTRS_PER_PGD];
609 - * If I don't have PSE, I should just duplicate two entries in page
610 - * directory. If I have PSE, I just need to duplicate one entry in
615 - if (cr4 & X86_CR4_PSE) {
616 - efi_bak_pg_dir_pointer[0].pgd =
617 - swapper_pg_dir[pgd_index(0)].pgd;
618 - swapper_pg_dir[0].pgd =
619 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
621 - efi_bak_pg_dir_pointer[0].pgd =
622 - swapper_pg_dir[pgd_index(0)].pgd;
623 - efi_bak_pg_dir_pointer[1].pgd =
624 - swapper_pg_dir[pgd_index(0x400000)].pgd;
625 - swapper_pg_dir[pgd_index(0)].pgd =
626 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
627 - temp = PAGE_OFFSET + 0x400000;
628 - swapper_pg_dir[pgd_index(0x400000)].pgd =
629 - swapper_pg_dir[pgd_index(temp)].pgd;
631 +#ifndef CONFIG_X86_PAE
632 + efi_bak_pg_dir_pointer[1] = swapper_pg_dir[1];
633 + swapper_pg_dir[1] = swapper_pg_dir[USER_PTRS_PER_PGD+1];
634 + efi_bak_pg_dir_pointer[2] = swapper_pg_dir[2];
635 + swapper_pg_dir[2] = swapper_pg_dir[USER_PTRS_PER_PGD+2];
636 + efi_bak_pg_dir_pointer[3] = swapper_pg_dir[3];
637 + swapper_pg_dir[3] = swapper_pg_dir[USER_PTRS_PER_PGD+3];
641 * After the lock is released, the original page table is restored.
646 - cpu_gdt_descr->address = __pa(cpu_gdt_descr->address);
647 - load_gdt(cpu_gdt_descr);
648 + cpu_gdt_descr[0].address = __pa(cpu_gdt_descr[0].address);
649 + load_gdt((struct Xgt_desc_struct *) __pa(&cpu_gdt_descr[0]));
652 -static void efi_call_phys_epilog(void)
653 +static void __init efi_call_phys_epilog(void)
656 - struct Xgt_desc_struct *cpu_gdt_descr = &per_cpu(cpu_gdt_descr, 0);
658 - cpu_gdt_descr->address = __va(cpu_gdt_descr->address);
659 - load_gdt(cpu_gdt_descr);
660 + cpu_gdt_descr[0].address =
661 + (unsigned long) __va(cpu_gdt_descr[0].address);
662 + load_gdt(&cpu_gdt_descr[0]);
665 + swapper_pg_dir[0] = efi_bak_pg_dir_pointer[0];
667 - if (cr4 & X86_CR4_PSE) {
668 - swapper_pg_dir[pgd_index(0)].pgd =
669 - efi_bak_pg_dir_pointer[0].pgd;
671 - swapper_pg_dir[pgd_index(0)].pgd =
672 - efi_bak_pg_dir_pointer[0].pgd;
673 - swapper_pg_dir[pgd_index(0x400000)].pgd =
674 - efi_bak_pg_dir_pointer[1].pgd;
676 +#ifndef CONFIG_X86_PAE
677 + swapper_pg_dir[1] = efi_bak_pg_dir_pointer[1];
678 + swapper_pg_dir[2] = efi_bak_pg_dir_pointer[2];
679 + swapper_pg_dir[3] = efi_bak_pg_dir_pointer[3];
683 * After the lock is released, the original page table is restored.
688 local_irq_restore(efi_rt_eflags);
689 spin_unlock(&efi_rt_lock);
693 +static efi_status_t __init
694 phys_efi_set_virtual_address_map(unsigned long memory_map_size,
695 unsigned long descriptor_size,
696 u32 descriptor_version,
697 @@ -155,7 +131,7 @@ phys_efi_set_virtual_address_map(unsigne
702 +static efi_status_t __init
703 phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
706 diff -urNp linux-2.6.16.12/arch/i386/kernel/efi_stub.S linux-2.6.16.12/arch/i386/kernel/efi_stub.S
707 --- linux-2.6.16.12/arch/i386/kernel/efi_stub.S 2006-05-01 15:14:26.000000000 -0400
708 +++ linux-2.6.16.12/arch/i386/kernel/efi_stub.S 2006-05-01 20:17:33.000000000 -0400
711 #include <linux/config.h>
712 #include <linux/linkage.h>
713 +#include <linux/init.h>
714 #include <asm/page.h>
715 #include <asm/pgtable.h>
718 * service functions will comply with gcc calling convention, too.
725 * 0. The function can only be called in Linux kernel. So CS has been
726 @@ -38,9 +39,7 @@ ENTRY(efi_call_phys)
727 * The mapping of lower virtual memory has been created in prelog and
731 - subl $__PAGE_OFFSET, %edx
733 + jmp 1f-__PAGE_OFFSET
737 @@ -49,14 +48,8 @@ ENTRY(efi_call_phys)
738 * parameter 2, ..., param n. To make things easy, we save the return
739 * address of efi_call_phys in a global variable.
742 - movl %edx, saved_return_addr
743 - /* get the function pointer into ECX*/
745 - movl %ecx, efi_rt_function_ptr
747 - subl $__PAGE_OFFSET, %edx
749 + popl (saved_return_addr)
750 + popl (efi_rt_function_ptr)
753 * 3. Clear PG bit in %CR0.
754 @@ -75,9 +68,8 @@ ENTRY(efi_call_phys)
756 * 5. Call the physical function.
759 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
763 * 6. After EFI runtime service returns, control will return to
764 * following instruction. We'd better readjust stack pointer first.
765 @@ -87,37 +79,29 @@ ENTRY(efi_call_phys)
770 - orl $0x80000000, %edx
775 * 8. Now restore the virtual mode from flat mode by
776 * adding EIP with PAGE_OFFSET.
781 + orl $0x80000000, %edx
783 + jmp 1f+__PAGE_OFFSET
787 * 9. Balance the stack. And because EAX contain the return value,
788 * we'd better not clobber it.
790 - leal efi_rt_function_ptr, %edx
793 + pushl (efi_rt_function_ptr)
796 - * 10. Push the saved return address onto the stack and return.
797 + * 10. Return to the saved return address.
799 - leal saved_return_addr, %edx
803 + jmpl *(saved_return_addr)
811 diff -urNp linux-2.6.16.12/arch/i386/kernel/entry.S linux-2.6.16.12/arch/i386/kernel/entry.S
812 --- linux-2.6.16.12/arch/i386/kernel/entry.S 2006-05-01 15:14:26.000000000 -0400
813 +++ linux-2.6.16.12/arch/i386/kernel/entry.S 2006-05-01 20:17:33.000000000 -0400
814 @@ -82,7 +82,7 @@ VM_MASK = 0x00020000
815 #define resume_kernel restore_nocheck
819 +#define __SAVE_ALL \
823 @@ -97,6 +97,18 @@ VM_MASK = 0x00020000
827 +#ifdef CONFIG_PAX_KERNEXEC
832 + orl $0x10000, %edx; \
836 +#define SAVE_ALL __SAVE_ALL
839 #define RESTORE_INT_REGS \
842 @@ -146,7 +158,19 @@ ret_from_intr:
843 movl EFLAGS(%esp), %eax # mix EFLAGS and CS
845 testl $(VM_MASK | 3), %eax
847 +#ifdef CONFIG_PAX_KERNEXEC
848 + jnz resume_userspace
859 ENTRY(resume_userspace)
860 cli # make sure we don't miss an interrupt
861 # setting need_resched or sigpending
862 @@ -213,6 +237,13 @@ sysenter_past_esp:
863 movl TI_flags(%ebp), %ecx
864 testw $_TIF_ALLWORK_MASK, %cx
865 jne syscall_exit_work
867 +#ifdef CONFIG_PAX_RANDKSTACK
869 + call pax_randomize_kstack
873 /* if something modifies registers it must also disable sysexit */
875 movl OLDESP(%esp), %ecx
876 @@ -243,6 +274,10 @@ syscall_exit:
877 testw $_TIF_ALLWORK_MASK, %cx # current->work
878 jne syscall_exit_work
880 +#ifdef CONFIG_PAX_RANDKSTACK
881 + call pax_randomize_kstack
885 movl EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
886 # Warning: OLDSS(%esp) contains the wrong/random values if we
887 @@ -398,7 +433,7 @@ syscall_badsys:
888 * Build the entry stubs and pointer table with
889 * some assembler magic.
892 +.section .rodata,"a",@progbits
896 @@ -408,7 +443,7 @@ ENTRY(irq_entries_start)
901 +.section .rodata,"a",@progbits
905 @@ -459,6 +494,15 @@ error_code:
908 movl %esp,%eax # pt_regs pointer
910 +#ifdef CONFIG_PAX_KERNEXEC
919 jmp ret_from_exception
921 @@ -554,6 +598,13 @@ nmi_stack_correct:
922 xorl %edx,%edx # zero error code
923 movl %esp,%eax # pt_regs pointer
926 +#ifdef CONFIG_PAX_KERNEXEC
935 @@ -584,6 +635,13 @@ nmi_16bit_stack:
936 FIXUP_ESPFIX_STACK # %eax == %esp
937 xorl %edx,%edx # zero error code
940 +#ifdef CONFIG_PAX_KERNEXEC
947 lss 12+4(%esp), %esp # back to 16bit stack
949 @@ -659,7 +717,6 @@ ENTRY(spurious_interrupt_bug)
950 pushl $do_spurious_interrupt_bug
953 -.section .rodata,"a"
954 #include "syscall_table.S"
956 syscall_table_size=(.-sys_call_table)
957 diff -urNp linux-2.6.16.12/arch/i386/kernel/head.S linux-2.6.16.12/arch/i386/kernel/head.S
958 --- linux-2.6.16.12/arch/i386/kernel/head.S 2006-05-01 15:14:26.000000000 -0400
959 +++ linux-2.6.16.12/arch/i386/kernel/head.S 2006-05-01 20:17:33.000000000 -0400
964 + * Real beginning of normal "text" segment
970 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
971 * %esi points to the real-mode code as a 32-bit pointer.
972 * CS and DS must be 4 GB flat segments, but we don't depend on
973 @@ -67,6 +73,19 @@ ENTRY(startup_32)
977 +#ifdef CONFIG_PAX_KERNEXEC
978 + movl $ __KERNEL_TEXT_OFFSET,%eax
979 + movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
981 + movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
982 + movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
984 + movb %al,(boot_gdt_table - __PAGE_OFFSET + __BOOT_CS + 4)
985 + movb %ah,(boot_gdt_table - __PAGE_OFFSET + __BOOT_CS + 7)
987 + movw %ax,(boot_gdt_table - __PAGE_OFFSET + __BOOT_CS + 2)
991 * Clear BSS first so that there are no surprises...
992 * No need to cld as DF is already clear from cld above...
993 @@ -114,24 +133,42 @@ ENTRY(startup_32)
994 * Warning: don't use %esi or the stack in this code. However, %esp
995 * can be used as a GPR if you really need it...
997 -page_pde_offset = (__PAGE_OFFSET >> 20);
999 +#ifdef CONFIG_X86_PAE
1000 +page_pde_offset = ((__PAGE_OFFSET >> 21) * (4096 / PTRS_PER_PTE_asm));
1002 +page_pde_offset = ((__PAGE_OFFSET >> 22) * (4096 / PTRS_PER_PTE_asm));
1004 movl $(pg0 - __PAGE_OFFSET), %edi
1005 +#ifdef CONFIG_X86_PAE
1006 + movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
1008 movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
1009 - movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
1011 + movl $0x063, %eax /* 0x063 = DIRTY+ACCESSED+PRESENT+RW */
1013 - leal 0x007(%edi),%ecx /* Create PDE entry */
1014 + leal 0x063(%edi),%ecx /* Create PDE entry */
1015 movl %ecx,(%edx) /* Store identity PDE entry */
1016 movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
1017 +#ifdef CONFIG_X86_PAE
1019 + movl $0,page_pde_offset+4(%edx)
1028 +#ifdef CONFIG_X86_PAE
1034 /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
1035 - /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
1036 - leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
1037 + /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
1038 + leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
1041 movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
1042 @@ -154,6 +191,11 @@ ENTRY(startup_32_smp)
1046 + /* This is a secondary processor (AP) */
1049 +#endif /* CONFIG_SMP */
1052 * New page tables may be in 4Mbyte page mode and may
1053 * be using the global pages.
1054 @@ -169,26 +211,27 @@ ENTRY(startup_32_smp)
1055 * not yet offset PAGE_OFFSET..
1057 #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
1063 movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
1067 - btl $5, %eax # check if PAE is enabled
1069 +#ifdef CONFIG_X86_PAE
1072 /* Check if extended functions are implemented */
1073 movl $0x80000000, %eax
1075 cmpl $0x80000000, %eax
1078 mov $0x80000001, %eax
1080 /* Execute Disable bit supported? */
1085 /* Setup EFER (Extended Feature Enable Register) */
1086 movl $0xc0000080, %ecx
1087 @@ -197,14 +240,12 @@ ENTRY(startup_32_smp)
1089 /* Make changes effective */
1091 + btsl $63,__supported_pte_mask-__PAGE_OFFSET
1094 - /* This is a secondary processor (AP) */
1099 -#endif /* CONFIG_SMP */
1107 @@ -229,9 +270,7 @@ ENTRY(startup_32_smp)
1111 - jz 1f /* Initial CPU cleans BSS */
1114 + jnz checkCPUtype /* Initial CPU cleans BSS */
1115 #endif /* CONFIG_SMP */
1118 @@ -412,32 +451,50 @@ ignore_int:
1123 - * Real beginning of normal "text" segment
1131 -.section ".bss.page_aligned","w"
1132 +.section .swapper_pg_dir,"a",@progbits
1133 ENTRY(swapper_pg_dir)
1134 +#ifdef CONFIG_X86_PAE
1135 + .long swapper_pm_dir-__PAGE_OFFSET+1
1137 + .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
1139 + .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
1141 + .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
1147 +#ifdef CONFIG_X86_PAE
1148 +.section .swapper_pm_dir,"a",@progbits
1149 +ENTRY(swapper_pm_dir)
1156 +.section .empty_zero_page,"a",@progbits
1157 ENTRY(empty_zero_page)
1161 - * This starts the data section.
1164 + * The IDT has to be page-aligned to simplify the Pentium
1165 + * F0 0F bug workaround.. We have a special link segment
1168 +.section .idt,"a",@progbits
1172 +.section .rodata,"a",@progbits
1176 - .long init_thread_union+THREAD_SIZE
1177 + .long init_thread_union+THREAD_SIZE-8
1183 .asciz "Unknown interrupt or fault at EIP %p %p %p\n"
1185 @@ -479,8 +536,8 @@ cpu_gdt_descr:
1186 .align L1_CACHE_BYTES
1187 ENTRY(boot_gdt_table)
1188 .fill GDT_ENTRY_BOOT_CS,8,0
1189 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
1190 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
1191 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
1192 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
1195 * The Global Descriptor Table contains 28 quadwords, per-CPU.
1196 @@ -500,10 +557,10 @@ ENTRY(cpu_gdt_table)
1197 .quad 0x0000000000000000 /* 0x53 reserved */
1198 .quad 0x0000000000000000 /* 0x5b reserved */
1200 - .quad 0x00cf9a000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
1201 - .quad 0x00cf92000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
1202 - .quad 0x00cffa000000ffff /* 0x73 user 4GB code at 0x00000000 */
1203 - .quad 0x00cff2000000ffff /* 0x7b user 4GB data at 0x00000000 */
1204 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
1205 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
1206 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
1207 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
1209 .quad 0x0000000000000000 /* 0x80 TSS descriptor */
1210 .quad 0x0000000000000000 /* 0x88 LDT descriptor */
1211 @@ -513,24 +570,30 @@ ENTRY(cpu_gdt_table)
1212 * They code segments and data segments have fixed 64k limits,
1213 * the transfer segment sizes are set at run time.
1215 - .quad 0x00409a000000ffff /* 0x90 32-bit code */
1216 - .quad 0x00009a000000ffff /* 0x98 16-bit code */
1217 - .quad 0x000092000000ffff /* 0xa0 16-bit data */
1218 - .quad 0x0000920000000000 /* 0xa8 16-bit data */
1219 - .quad 0x0000920000000000 /* 0xb0 16-bit data */
1220 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
1221 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
1222 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
1223 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
1224 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
1227 * The APM segments have byte granularity and their bases
1228 * are set at run time. All have 64k limits.
1230 - .quad 0x00409a000000ffff /* 0xb8 APM CS code */
1231 - .quad 0x00009a000000ffff /* 0xc0 APM CS 16 code (16 bit) */
1232 - .quad 0x004092000000ffff /* 0xc8 APM DS data */
1233 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
1234 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
1235 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
1237 - .quad 0x0000920000000000 /* 0xd0 - ESPFIX 16-bit SS */
1238 + .quad 0x0000930000000000 /* 0xd0 - ESPFIX 16-bit SS */
1239 .quad 0x0000000000000000 /* 0xd8 - unused */
1240 .quad 0x0000000000000000 /* 0xe0 - unused */
1241 .quad 0x0000000000000000 /* 0xe8 - unused */
1242 .quad 0x0000000000000000 /* 0xf0 - unused */
1243 .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
1245 + /* Be sure this is zeroed to avoid false validations in Xen */
1246 + .fill PAGE_SIZE_asm / 8 - GDT_ENTRIES,8,0
1249 + .fill (NR_CPUS-1) * (PAGE_SIZE_asm / 8),8,0 /* other CPU's GDT */
1251 diff -urNp linux-2.6.16.12/arch/i386/kernel/i386_ksyms.c linux-2.6.16.12/arch/i386/kernel/i386_ksyms.c
1252 --- linux-2.6.16.12/arch/i386/kernel/i386_ksyms.c 2006-05-01 15:14:26.000000000 -0400
1253 +++ linux-2.6.16.12/arch/i386/kernel/i386_ksyms.c 2006-05-01 20:17:33.000000000 -0400
1255 #include <asm/checksum.h>
1256 #include <asm/desc.h>
1258 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
1260 EXPORT_SYMBOL(__down_failed);
1261 EXPORT_SYMBOL(__down_failed_interruptible);
1262 EXPORT_SYMBOL(__down_failed_trylock);
1263 diff -urNp linux-2.6.16.12/arch/i386/kernel/init_task.c linux-2.6.16.12/arch/i386/kernel/init_task.c
1264 --- linux-2.6.16.12/arch/i386/kernel/init_task.c 2006-05-01 15:14:26.000000000 -0400
1265 +++ linux-2.6.16.12/arch/i386/kernel/init_task.c 2006-05-01 20:17:33.000000000 -0400
1266 @@ -42,5 +42,5 @@ EXPORT_SYMBOL(init_task);
1267 * per-CPU TSS segments. Threads are completely 'soft' on Linux,
1268 * no more per-task TSS's.
1270 -DEFINE_PER_CPU(struct tss_struct, init_tss) ____cacheline_internodealigned_in_smp = INIT_TSS;
1271 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
1273 diff -urNp linux-2.6.16.12/arch/i386/kernel/ioport.c linux-2.6.16.12/arch/i386/kernel/ioport.c
1274 --- linux-2.6.16.12/arch/i386/kernel/ioport.c 2006-05-01 15:14:26.000000000 -0400
1275 +++ linux-2.6.16.12/arch/i386/kernel/ioport.c 2006-05-01 20:17:33.000000000 -0400
1277 #include <linux/stddef.h>
1278 #include <linux/slab.h>
1279 #include <linux/thread_info.h>
1280 +#include <linux/grsecurity.h>
1282 /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
1283 static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
1284 @@ -64,9 +65,16 @@ asmlinkage long sys_ioperm(unsigned long
1286 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
1288 +#ifdef CONFIG_GRKERNSEC_IO
1290 + gr_handle_ioperm();
1292 if (turn_on && !capable(CAP_SYS_RAWIO))
1296 +#ifdef CONFIG_GRKERNSEC_IO
1300 * If it's the first ioperm() call in this thread's lifetime, set the
1301 * IO bitmap up. ioperm() is much less timing critical than clone(),
1302 @@ -88,7 +96,7 @@ asmlinkage long sys_ioperm(unsigned long
1303 * because the ->io_bitmap_max value must match the bitmap
1306 - tss = &per_cpu(init_tss, get_cpu());
1307 + tss = init_tss + get_cpu();
1309 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
1311 @@ -142,8 +150,13 @@ asmlinkage long sys_iopl(unsigned long u
1313 /* Trying to gain more privileges? */
1315 +#ifdef CONFIG_GRKERNSEC_IO
1319 if (!capable(CAP_SYS_RAWIO))
1323 t->iopl = level << 12;
1324 regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
1325 diff -urNp linux-2.6.16.12/arch/i386/kernel/irq.c linux-2.6.16.12/arch/i386/kernel/irq.c
1326 --- linux-2.6.16.12/arch/i386/kernel/irq.c 2006-05-01 15:14:26.000000000 -0400
1327 +++ linux-2.6.16.12/arch/i386/kernel/irq.c 2006-05-01 20:17:33.000000000 -0400
1328 @@ -91,7 +91,7 @@ fastcall unsigned int do_IRQ(struct pt_r
1329 int arg1, arg2, ebx;
1331 /* build the stack frame on the IRQ stack */
1332 - isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
1333 + isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
1334 irqctx->tinfo.task = curctx->tinfo.task;
1335 irqctx->tinfo.previous_esp = current_stack_pointer;
1337 @@ -119,10 +119,10 @@ fastcall unsigned int do_IRQ(struct pt_r
1338 * gcc's 3.0 and earlier don't handle that correctly.
1340 static char softirq_stack[NR_CPUS * THREAD_SIZE]
1341 - __attribute__((__aligned__(THREAD_SIZE)));
1342 + __attribute__((__aligned__(THREAD_SIZE), __section__(".bss.page_aligned")));
1344 static char hardirq_stack[NR_CPUS * THREAD_SIZE]
1345 - __attribute__((__aligned__(THREAD_SIZE)));
1346 + __attribute__((__aligned__(THREAD_SIZE), __section__(".bss.page_aligned")));
1349 * allocate per-cpu stacks for hardirq and for softirq processing
1350 @@ -182,7 +182,7 @@ asmlinkage void do_softirq(void)
1351 irqctx->tinfo.previous_esp = current_stack_pointer;
1353 /* build the stack frame on the softirq stack */
1354 - isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
1355 + isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
1358 " xchgl %%ebx,%%esp \n"
1359 diff -urNp linux-2.6.16.12/arch/i386/kernel/ldt.c linux-2.6.16.12/arch/i386/kernel/ldt.c
1360 --- linux-2.6.16.12/arch/i386/kernel/ldt.c 2006-05-01 15:14:26.000000000 -0400
1361 +++ linux-2.6.16.12/arch/i386/kernel/ldt.c 2006-05-01 20:17:33.000000000 -0400
1362 @@ -103,6 +103,19 @@ int init_new_context(struct task_struct
1363 retval = copy_ldt(&mm->context, &old_mm->context);
1364 up(&old_mm->context.sem);
1367 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
1368 + if (!mm->context.user_cs_limit) {
1369 + mm->context.user_cs_base = 0UL;
1370 + mm->context.user_cs_limit = ~0UL;
1372 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
1373 + cpus_clear(mm->context.cpu_user_cs_mask);
1382 @@ -160,7 +173,7 @@ static int read_default_ldt(void __user
1387 + const void *address;
1390 address = &default_ldt[0];
1391 @@ -215,6 +228,13 @@ static int write_ldt(void __user * ptr,
1395 +#ifdef CONFIG_PAX_SEGMEXEC
1396 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
1402 entry_1 = LDT_entry_a(&ldt_info);
1403 entry_2 = LDT_entry_b(&ldt_info);
1405 diff -urNp linux-2.6.16.12/arch/i386/kernel/module.c linux-2.6.16.12/arch/i386/kernel/module.c
1406 --- linux-2.6.16.12/arch/i386/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
1407 +++ linux-2.6.16.12/arch/i386/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
1409 #include <linux/fs.h>
1410 #include <linux/string.h>
1411 #include <linux/kernel.h>
1412 +#include <asm/desc.h>
1415 #define DEBUGP printk
1416 @@ -32,9 +33,30 @@ void *module_alloc(unsigned long size)
1421 +#ifdef CONFIG_PAX_KERNEXEC
1422 + return vmalloc(size);
1424 return vmalloc_exec(size);
1429 +#ifdef CONFIG_PAX_KERNEXEC
1430 +void *module_alloc_exec(unsigned long size)
1432 + struct vm_struct *area;
1437 + area = __get_vm_area(size, 0, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
1439 + return area->addr;
1445 /* Free memory returned from module_alloc */
1446 void module_free(struct module *mod, void *module_region)
1447 @@ -44,6 +66,45 @@ void module_free(struct module *mod, voi
1451 +#ifdef CONFIG_PAX_KERNEXEC
1452 +void module_free_exec(struct module *mod, void *module_region)
1454 + struct vm_struct **p, *tmp;
1456 + if (!module_region)
1459 + if ((PAGE_SIZE-1) & (unsigned long)module_region) {
1460 + printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
1465 + write_lock(&vmlist_lock);
1466 + for (p = &vmlist ; (tmp = *p) != NULL ;p = &tmp->next)
1467 + if (tmp->addr == module_region)
1471 + unsigned long cr0;
1473 + pax_open_kernel(cr0);
1474 + memset(tmp->addr, 0xCC, tmp->size);
1475 + pax_close_kernel(cr0);
1480 + write_unlock(&vmlist_lock);
1483 + printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
1490 /* We don't need anything special. */
1491 int module_frob_arch_sections(Elf_Ehdr *hdr,
1493 @@ -62,14 +123,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
1495 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
1497 - uint32_t *location;
1498 + uint32_t *plocation, location;
1500 DEBUGP("Applying relocate section %u to %u\n", relsec,
1501 sechdrs[relsec].sh_info);
1502 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
1503 /* This is where to make the change */
1504 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
1505 - + rel[i].r_offset;
1506 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
1507 + location = (uint32_t)plocation;
1508 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
1509 + plocation = (void *)plocation + __KERNEL_TEXT_OFFSET;
1510 /* This is the symbol it is referring to. Note that all
1511 undefined symbols have been resolved. */
1512 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
1513 @@ -78,11 +141,11 @@ int apply_relocate(Elf32_Shdr *sechdrs,
1514 switch (ELF32_R_TYPE(rel[i].r_info)) {
1516 /* We add the value into the location given */
1517 - *location += sym->st_value;
1518 + *plocation += sym->st_value;
1521 /* Add the value, subtract its postition */
1522 - *location += sym->st_value - (uint32_t)location;
1523 + *plocation += sym->st_value - location;
1526 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
1527 diff -urNp linux-2.6.16.12/arch/i386/kernel/process.c linux-2.6.16.12/arch/i386/kernel/process.c
1528 --- linux-2.6.16.12/arch/i386/kernel/process.c 2006-05-01 15:14:26.000000000 -0400
1529 +++ linux-2.6.16.12/arch/i386/kernel/process.c 2006-05-01 20:17:33.000000000 -0400
1530 @@ -377,7 +377,7 @@ void exit_thread(void)
1531 /* The process may have allocated an io port bitmap... nuke it. */
1532 if (unlikely(NULL != t->io_bitmap_ptr)) {
1533 int cpu = get_cpu();
1534 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
1535 + struct tss_struct *tss = init_tss + cpu;
1537 kfree(t->io_bitmap_ptr);
1538 t->io_bitmap_ptr = NULL;
1539 @@ -397,6 +397,9 @@ void flush_thread(void)
1541 struct task_struct *tsk = current;
1543 + __asm__("mov %0,%%fs\n"
1545 + : : "r" (0) : "memory");
1546 memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
1547 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
1549 @@ -429,7 +432,7 @@ int copy_thread(int nr, unsigned long cl
1550 struct task_struct *tsk;
1553 - childregs = task_pt_regs(p);
1554 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
1557 childregs->esp = esp;
1558 @@ -472,6 +475,11 @@ int copy_thread(int nr, unsigned long cl
1559 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
1562 +#ifdef CONFIG_PAX_SEGMEXEC
1563 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
1567 desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
1568 desc->a = LDT_entry_a(&info);
1569 desc->b = LDT_entry_b(&info);
1570 @@ -636,7 +644,11 @@ struct task_struct fastcall * __switch_t
1571 struct thread_struct *prev = &prev_p->thread,
1572 *next = &next_p->thread;
1573 int cpu = smp_processor_id();
1574 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
1575 + struct tss_struct *tss = init_tss + cpu;
1577 +#ifdef CONFIG_PAX_KERNEXEC
1578 + unsigned long cr0;
1581 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
1583 @@ -659,11 +671,19 @@ struct task_struct fastcall * __switch_t
1584 savesegment(fs, prev->fs);
1585 savesegment(gs, prev->gs);
1587 +#ifdef CONFIG_PAX_KERNEXEC
1588 + pax_open_kernel(cr0);
1592 * Load the per-thread Thread-Local Storage descriptor.
1594 load_TLS(next, cpu);
1596 +#ifdef CONFIG_PAX_KERNEXEC
1597 + pax_close_kernel(cr0);
1601 * Restore %fs and %gs if needed.
1603 @@ -818,8 +838,18 @@ asmlinkage int sys_set_thread_area(struc
1604 struct desc_struct *desc;
1607 +#ifdef CONFIG_PAX_KERNEXEC
1608 + unsigned long cr0;
1611 if (copy_from_user(&info, u_info, sizeof(info)))
1614 +#ifdef CONFIG_PAX_SEGMEXEC
1615 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
1619 idx = info.entry_number;
1622 @@ -851,8 +881,17 @@ asmlinkage int sys_set_thread_area(struc
1623 desc->a = LDT_entry_a(&info);
1624 desc->b = LDT_entry_b(&info);
1627 +#ifdef CONFIG_PAX_KERNEXEC
1628 + pax_open_kernel(cr0);
1633 +#ifdef CONFIG_PAX_KERNEXEC
1634 + pax_close_kernel(cr0);
1640 @@ -908,9 +947,27 @@ asmlinkage int sys_get_thread_area(struc
1644 -unsigned long arch_align_stack(unsigned long sp)
1645 +#ifdef CONFIG_PAX_RANDKSTACK
1646 +asmlinkage void pax_randomize_kstack(void)
1648 - if (randomize_va_space)
1649 - sp -= get_random_int() % 8192;
1651 + struct tss_struct *tss = init_tss + smp_processor_id();
1652 + unsigned long time;
1654 + if (!randomize_va_space)
1659 + /* P4 seems to return a 0 LSB, ignore it */
1660 +#ifdef CONFIG_MPENTIUM4
1668 + tss->esp0 ^= time;
1669 + current->thread.esp0 = tss->esp0;
1672 diff -urNp linux-2.6.16.12/arch/i386/kernel/ptrace.c linux-2.6.16.12/arch/i386/kernel/ptrace.c
1673 --- linux-2.6.16.12/arch/i386/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
1674 +++ linux-2.6.16.12/arch/i386/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
1676 #include <linux/audit.h>
1677 #include <linux/seccomp.h>
1678 #include <linux/signal.h>
1679 +#include <linux/grsecurity.h>
1681 #include <asm/uaccess.h>
1682 #include <asm/pgtable.h>
1683 @@ -342,6 +343,11 @@ ptrace_set_thread_area(struct task_struc
1684 if (copy_from_user(&info, user_desc, sizeof(info)))
1687 +#ifdef CONFIG_PAX_SEGMEXEC
1688 + if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
1692 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
1695 @@ -432,6 +438,17 @@ long arch_ptrace(struct task_struct *chi
1696 if(addr == (long) &dummy->u_debugreg[5]) break;
1697 if(addr < (long) &dummy->u_debugreg[4] &&
1698 ((unsigned long) data) >= TASK_SIZE-3) break;
1700 +#ifdef CONFIG_GRKERNSEC
1701 + if(addr >= (long) &dummy->u_debugreg[0] &&
1702 + addr <= (long) &dummy->u_debugreg[3]){
1703 + long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
1704 + long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
1705 + long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
1706 + if((type & 1) && (data & align))
1711 /* Sanity-check data. Take one half-byte at once with
1712 * check = (val >> (16 + 4*i)) & 0xf. It contains the
1713 @@ -645,7 +662,7 @@ void send_sigtrap(struct task_struct *ts
1714 info.si_code = TRAP_BRKPT;
1716 /* User-mode eip? */
1717 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
1718 + info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
1720 /* Send us the fakey SIGTRAP */
1721 force_sig_info(SIGTRAP, &info, tsk);
1722 diff -urNp linux-2.6.16.12/arch/i386/kernel/reboot.c linux-2.6.16.12/arch/i386/kernel/reboot.c
1723 --- linux-2.6.16.12/arch/i386/kernel/reboot.c 2006-05-01 15:14:26.000000000 -0400
1724 +++ linux-2.6.16.12/arch/i386/kernel/reboot.c 2006-05-01 20:17:33.000000000 -0400
1725 @@ -138,18 +138,18 @@ core_initcall(reboot_init);
1726 doesn't work with at least one type of 486 motherboard. It is easy
1727 to stop this code working; hence the copious comments. */
1729 -static unsigned long long
1730 +static const unsigned long long
1731 real_mode_gdt_entries [3] =
1733 0x0000000000000000ULL, /* Null descriptor */
1734 - 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
1735 - 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
1736 + 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
1737 + 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
1742 unsigned short size __attribute__ ((packed));
1743 - unsigned long long * base __attribute__ ((packed));
1744 + const unsigned long long * base __attribute__ ((packed));
1746 real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, real_mode_gdt_entries },
1747 real_mode_idt = { 0x3ff, NULL },
1748 @@ -203,6 +203,10 @@ void machine_real_restart(unsigned char
1750 unsigned long flags;
1752 +#ifdef CONFIG_PAX_KERNEXEC
1753 + unsigned long cr0;
1756 local_irq_disable();
1758 /* Write zero to CMOS register number 0x0f, which the BIOS POST
1759 @@ -223,9 +227,17 @@ void machine_real_restart(unsigned char
1760 from the kernel segment. This assumes the kernel segment starts at
1761 virtual address PAGE_OFFSET. */
1763 +#ifdef CONFIG_PAX_KERNEXEC
1764 + pax_open_kernel(cr0);
1767 memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1768 sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
1770 +#ifdef CONFIG_PAX_KERNEXEC
1771 + pax_close_kernel(cr0);
1775 * Use `swapper_pg_dir' as our page directory.
1777 diff -urNp linux-2.6.16.12/arch/i386/kernel/setup.c linux-2.6.16.12/arch/i386/kernel/setup.c
1778 --- linux-2.6.16.12/arch/i386/kernel/setup.c 2006-05-01 15:14:26.000000000 -0400
1779 +++ linux-2.6.16.12/arch/i386/kernel/setup.c 2006-05-01 20:17:33.000000000 -0400
1782 #include "setup_arch_pre.h"
1783 #include <bios_ebda.h>
1784 +#include <asm/desc.h>
1786 /* Forward Declaration. */
1787 void __init find_max_pfn(void);
1788 @@ -86,7 +87,11 @@ struct cpuinfo_x86 new_cpu_data __initda
1789 struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
1790 EXPORT_SYMBOL(boot_cpu_data);
1792 +#ifdef CONFIG_X86_PAE
1793 +unsigned long mmu_cr4_features = X86_CR4_PAE;
1795 unsigned long mmu_cr4_features;
1799 int acpi_disabled = 0;
1800 @@ -1444,12 +1449,22 @@ void apply_alternatives(void *start, voi
1801 struct alt_instr *a;
1803 unsigned char **noptable = intel_nops;
1805 +#ifdef CONFIG_PAX_KERNEXEC
1806 + unsigned long cr0;
1809 for (i = 0; noptypes[i].cpuid >= 0; i++) {
1810 if (boot_cpu_has(noptypes[i].cpuid)) {
1811 noptable = noptypes[i].noptable;
1816 +#ifdef CONFIG_PAX_KERNEXEC
1817 + pax_open_kernel(cr0);
1820 for (a = start; (void *)a < end; a++) {
1821 if (!boot_cpu_has(a->cpuid))
1823 @@ -1464,6 +1479,11 @@ void apply_alternatives(void *start, voi
1824 memcpy(a->instr + i, noptable[k], k);
1828 +#ifdef CONFIG_PAX_KERNEXEC
1829 + pax_close_kernel(cr0);
1834 void __init alternative_instructions(void)
1835 @@ -1542,14 +1562,14 @@ void __init setup_arch(char **cmdline_p)
1837 if (!MOUNT_ROOT_RDONLY)
1838 root_mountflags &= ~MS_RDONLY;
1839 - init_mm.start_code = (unsigned long) _text;
1840 - init_mm.end_code = (unsigned long) _etext;
1841 + init_mm.start_code = (unsigned long) _text + __KERNEL_TEXT_OFFSET;
1842 + init_mm.end_code = (unsigned long) _etext + __KERNEL_TEXT_OFFSET;
1843 init_mm.end_data = (unsigned long) _edata;
1844 init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
1846 - code_resource.start = virt_to_phys(_text);
1847 - code_resource.end = virt_to_phys(_etext)-1;
1848 - data_resource.start = virt_to_phys(_etext);
1849 + code_resource.start = virt_to_phys(_text + __KERNEL_TEXT_OFFSET);
1850 + code_resource.end = virt_to_phys(_etext + __KERNEL_TEXT_OFFSET)-1;
1851 + data_resource.start = virt_to_phys(_data);
1852 data_resource.end = virt_to_phys(_edata)-1;
1854 parse_cmdline_early(cmdline_p);
1855 diff -urNp linux-2.6.16.12/arch/i386/kernel/signal.c linux-2.6.16.12/arch/i386/kernel/signal.c
1856 --- linux-2.6.16.12/arch/i386/kernel/signal.c 2006-05-01 15:14:26.000000000 -0400
1857 +++ linux-2.6.16.12/arch/i386/kernel/signal.c 2006-05-01 20:17:33.000000000 -0400
1858 @@ -350,7 +350,17 @@ static int setup_frame(int sig, struct k
1862 +#ifdef CONFIG_PAX_NOVSYSCALL
1863 + restorer = frame->retcode;
1865 restorer = &__kernel_sigreturn;
1867 +#ifdef CONFIG_PAX_SEGMEXEC
1868 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
1869 + restorer -= SEGMEXEC_TASK_SIZE;
1873 if (ka->sa.sa_flags & SA_RESTORER)
1874 restorer = ka->sa.sa_restorer;
1876 @@ -446,7 +456,18 @@ static int setup_rt_frame(int sig, struc
1879 /* Set up to return from userspace. */
1881 +#ifdef CONFIG_PAX_NOVSYSCALL
1882 + restorer = frame->retcode;
1884 restorer = &__kernel_rt_sigreturn;
1886 +#ifdef CONFIG_PAX_SEGMEXEC
1887 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
1888 + restorer -= SEGMEXEC_TASK_SIZE;
1892 if (ka->sa.sa_flags & SA_RESTORER)
1893 restorer = ka->sa.sa_restorer;
1894 err |= __put_user(restorer, &frame->pretcode);
1895 @@ -579,7 +600,7 @@ static void fastcall do_signal(struct pt
1896 * before reaching here, so testing against kernel
1899 - if (!user_mode(regs))
1900 + if (!user_mode_novm(regs))
1903 if (try_to_freeze())
1904 diff -urNp linux-2.6.16.12/arch/i386/kernel/syscall_table.S linux-2.6.16.12/arch/i386/kernel/syscall_table.S
1905 --- linux-2.6.16.12/arch/i386/kernel/syscall_table.S 2006-05-01 15:14:26.000000000 -0400
1906 +++ linux-2.6.16.12/arch/i386/kernel/syscall_table.S 2006-05-01 20:17:33.000000000 -0400
1908 +.section .rodata,"a",@progbits
1909 ENTRY(sys_call_table)
1910 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
1912 diff -urNp linux-2.6.16.12/arch/i386/kernel/sysenter.c linux-2.6.16.12/arch/i386/kernel/sysenter.c
1913 --- linux-2.6.16.12/arch/i386/kernel/sysenter.c 2006-05-01 15:14:26.000000000 -0400
1914 +++ linux-2.6.16.12/arch/i386/kernel/sysenter.c 2006-05-01 20:17:33.000000000 -0400
1915 @@ -24,7 +24,7 @@ extern asmlinkage void sysenter_entry(vo
1916 void enable_sep_cpu(void)
1918 int cpu = get_cpu();
1919 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
1920 + struct tss_struct *tss = init_tss + cpu;
1922 if (!boot_cpu_has(X86_FEATURE_SEP)) {
1924 @@ -48,6 +48,7 @@ extern const char vsyscall_sysenter_star
1926 int __init sysenter_setup(void)
1928 +#ifndef CONFIG_PAX_NOVSYSCALL
1929 void *page = (void *)get_zeroed_page(GFP_ATOMIC);
1931 __set_fixmap(FIX_VSYSCALL, __pa(page), PAGE_READONLY_EXEC);
1932 @@ -62,6 +63,7 @@ int __init sysenter_setup(void)
1934 &vsyscall_sysenter_start,
1935 &vsyscall_sysenter_end - &vsyscall_sysenter_start);
1940 diff -urNp linux-2.6.16.12/arch/i386/kernel/sys_i386.c linux-2.6.16.12/arch/i386/kernel/sys_i386.c
1941 --- linux-2.6.16.12/arch/i386/kernel/sys_i386.c 2006-05-01 15:14:26.000000000 -0400
1942 +++ linux-2.6.16.12/arch/i386/kernel/sys_i386.c 2006-05-01 20:17:33.000000000 -0400
1943 @@ -107,6 +107,191 @@ out:
1948 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
1949 + unsigned long len, unsigned long pgoff, unsigned long flags)
1951 + struct mm_struct *mm = current->mm;
1952 + struct vm_area_struct *vma;
1953 + unsigned long start_addr, task_size = TASK_SIZE;
1955 +#ifdef CONFIG_PAX_SEGMEXEC
1956 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
1957 + task_size = SEGMEXEC_TASK_SIZE;
1960 + if (len > task_size)
1963 +#ifdef CONFIG_PAX_RANDMMAP
1964 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
1968 + addr = PAGE_ALIGN(addr);
1969 + vma = find_vma(mm, addr);
1970 + if (task_size - len >= addr &&
1971 + (!vma || addr + len <= vma->vm_start))
1974 + if (len > mm->cached_hole_size) {
1975 + start_addr = addr = mm->free_area_cache;
1977 + start_addr = addr = mm->mmap_base;
1978 + mm->cached_hole_size = 0;
1981 +#ifdef CONFIG_PAX_PAGEEXEC
1982 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
1983 + start_addr = 0x00110000UL;
1985 +#ifdef CONFIG_PAX_RANDMMAP
1986 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1987 + start_addr += mm->delta_mmap & 0x03FFFFFFUL;
1990 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
1991 + start_addr = addr = mm->mmap_base;
1993 + addr = start_addr;
1998 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1999 + /* At this point: (!vma || addr < vma->vm_end). */
2000 + if (task_size - len < addr) {
2002 + * Start a new search - just in case we missed
2005 + if (start_addr != mm->mmap_base) {
2006 + start_addr = addr = mm->mmap_base;
2007 + mm->cached_hole_size = 0;
2012 + if (!vma || addr + len <= vma->vm_start) {
2014 + * Remember the place where we stopped the search:
2016 + mm->free_area_cache = addr + len;
2019 + if (addr + mm->cached_hole_size < vma->vm_start)
2020 + mm->cached_hole_size = vma->vm_start - addr;
2021 + addr = vma->vm_end;
2022 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
2023 + start_addr = addr = mm->mmap_base;
2030 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
2031 + const unsigned long len, const unsigned long pgoff,
2032 + const unsigned long flags)
2034 + struct vm_area_struct *vma;
2035 + struct mm_struct *mm = current->mm;
2036 + unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
2038 +#ifdef CONFIG_PAX_SEGMEXEC
2039 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
2040 + task_size = SEGMEXEC_TASK_SIZE;
2043 + /* requested length too big for entire address space */
2044 + if (len > task_size)
2047 +#ifdef CONFIG_PAX_PAGEEXEC
2048 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
2052 +#ifdef CONFIG_PAX_RANDMMAP
2053 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
2056 + /* requesting a specific address */
2058 + addr = PAGE_ALIGN(addr);
2059 + vma = find_vma(mm, addr);
2060 + if (task_size - len >= addr &&
2061 + (!vma || addr + len <= vma->vm_start))
2065 + /* check if free_area_cache is useful for us */
2066 + if (len <= mm->cached_hole_size) {
2067 + mm->cached_hole_size = 0;
2068 + mm->free_area_cache = mm->mmap_base;
2071 + /* either no address requested or can't fit in requested address hole */
2072 + addr = mm->free_area_cache;
2074 + /* make sure it can fit in the remaining address space */
2076 + vma = find_vma(mm, addr-len);
2077 + if (!vma || addr <= vma->vm_start)
2078 + /* remember the address as a hint for next time */
2079 + return (mm->free_area_cache = addr-len);
2082 + if (mm->mmap_base < len)
2085 + addr = mm->mmap_base-len;
2089 + * Lookup failure means no vma is above this address,
2090 + * else if new region fits below vma->vm_start,
2091 + * return with success:
2093 + vma = find_vma(mm, addr);
2094 + if (!vma || addr+len <= vma->vm_start)
2095 + /* remember the address as a hint for next time */
2096 + return (mm->free_area_cache = addr);
2098 + /* remember the largest hole we saw so far */
2099 + if (addr + mm->cached_hole_size < vma->vm_start)
2100 + mm->cached_hole_size = vma->vm_start - addr;
2102 + /* try just below the current vma->vm_start */
2103 + addr = vma->vm_start-len;
2104 + } while (len < vma->vm_start);
2108 + * A failed mmap() very likely causes application failure,
2109 + * so fall back to the bottom-up function here. This scenario
2110 + * can happen with large stack limits and large mmap()
2113 + mm->mmap_base = TASK_UNMAPPED_BASE;
2115 +#ifdef CONFIG_PAX_RANDMMAP
2116 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2117 + mm->mmap_base += mm->delta_mmap;
2120 + mm->free_area_cache = mm->mmap_base;
2121 + mm->cached_hole_size = ~0UL;
2122 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
2124 + * Restore the topdown base:
2126 + mm->mmap_base = base;
2127 + mm->free_area_cache = base;
2128 + mm->cached_hole_size = ~0UL;
2133 struct sel_arg_struct {
2135 diff -urNp linux-2.6.16.12/arch/i386/kernel/traps.c linux-2.6.16.12/arch/i386/kernel/traps.c
2136 --- linux-2.6.16.12/arch/i386/kernel/traps.c 2006-05-01 15:14:26.000000000 -0400
2137 +++ linux-2.6.16.12/arch/i386/kernel/traps.c 2006-05-01 20:17:33.000000000 -0400
2139 #include <linux/utsname.h>
2140 #include <linux/kprobes.h>
2141 #include <linux/kexec.h>
2142 +#include <linux/binfmts.h>
2145 #include <linux/ioport.h>
2148 asmlinkage int system_call(void);
2150 -struct desc_struct default_ldt[] = { { 0, 0 }, { 0, 0 }, { 0, 0 },
2151 +const struct desc_struct default_ldt[] = { { 0, 0 }, { 0, 0 }, { 0, 0 },
2152 { 0, 0 }, { 0, 0 } };
2154 /* Do we ignore FPU interrupts ? */
2155 char ignore_fpu_irq = 0;
2158 - * The IDT has to be page-aligned to simplify the Pentium
2159 - * F0 0F bug workaround.. We have a special link segment
2162 -struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
2163 +extern struct desc_struct idt_table[256];
2165 asmlinkage void divide_error(void);
2166 asmlinkage void debug(void);
2167 @@ -127,18 +123,22 @@ static inline unsigned long print_contex
2171 + int i = kstack_depth_to_print;
2173 #ifdef CONFIG_FRAME_POINTER
2174 while (valid_stack_ptr(tinfo, (void *)ebp)) {
2175 addr = *(unsigned long *)(ebp + 4);
2176 print_addr_and_symbol(addr, log_lvl);
2177 ebp = *(unsigned long *)ebp;
2181 while (valid_stack_ptr(tinfo, stack)) {
2183 - if (__kernel_text_address(addr))
2184 + if (__kernel_text_address(addr)) {
2185 print_addr_and_symbol(addr, log_lvl);
2191 @@ -269,7 +269,7 @@ void show_registers(struct pt_regs *regs
2193 printk(KERN_EMERG "Code: ");
2195 - eip = (u8 __user *)regs->eip - 43;
2196 + eip = (u8 __user *)regs->eip - 43 + __KERNEL_TEXT_OFFSET;
2197 for (i = 0; i < 64; i++, eip++) {
2200 @@ -277,7 +277,7 @@ void show_registers(struct pt_regs *regs
2201 printk(" Bad EIP value.");
2204 - if (eip == (u8 __user *)regs->eip)
2205 + if (eip == (u8 __user *)regs->eip + __KERNEL_TEXT_OFFSET)
2206 printk("<%02x> ", c);
2209 @@ -294,7 +294,7 @@ static void handle_BUG(struct pt_regs *r
2214 + eip = regs->eip + __KERNEL_TEXT_OFFSET;
2216 if (eip < PAGE_OFFSET)
2218 @@ -396,7 +396,7 @@ void die(const char * str, struct pt_reg
2220 static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
2222 - if (!user_mode_vm(regs))
2223 + if (!user_mode(regs))
2224 die(str, regs, err);
2227 @@ -414,7 +414,7 @@ static void __kprobes do_trap(int trapnr
2231 - if (!user_mode(regs))
2232 + if (!user_mode_novm(regs))
2236 @@ -502,7 +502,7 @@ fastcall void __kprobes do_general_prote
2239 int cpu = get_cpu();
2240 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
2241 + struct tss_struct *tss = &init_tss[cpu];
2242 struct thread_struct *thread = ¤t->thread;
2245 @@ -538,9 +538,25 @@ fastcall void __kprobes do_general_prote
2246 if (regs->eflags & VM_MASK)
2249 - if (!user_mode(regs))
2250 + if (!user_mode_novm(regs))
2253 +#ifdef CONFIG_PAX_PAGEEXEC
2254 + if (current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
2255 + struct mm_struct *mm = current->mm;
2256 + unsigned long limit;
2258 + down_write(&mm->mmap_sem);
2259 + limit = mm->context.user_cs_limit;
2260 + if (limit < TASK_SIZE) {
2261 + track_exec_limit(mm, limit, TASK_SIZE, PROT_EXEC);
2262 + up_write(&mm->mmap_sem);
2265 + up_write(&mm->mmap_sem);
2269 current->thread.error_code = error_code;
2270 current->thread.trap_no = 13;
2271 force_sig(SIGSEGV, current);
2272 @@ -556,6 +572,13 @@ gp_in_kernel:
2273 if (notify_die(DIE_GPF, "general protection fault", regs,
2274 error_code, 13, SIGSEGV) == NOTIFY_STOP)
2277 +#ifdef CONFIG_PAX_KERNEXEC
2278 + if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
2279 + die("PAX: suspicious general protection fault", regs, error_code);
2283 die("general protection fault", regs, error_code);
2286 @@ -781,7 +804,7 @@ fastcall void __kprobes do_debug(struct
2287 * check for kernel mode by just checking the CPL
2290 - if (!user_mode(regs))
2291 + if (!user_mode_novm(regs))
2292 goto clear_TF_reenable;
2295 @@ -1071,7 +1094,19 @@ do { \
2297 void set_intr_gate(unsigned int n, void *addr)
2300 +#ifdef CONFIG_PAX_KERNEXEC
2301 + unsigned long cr0;
2303 + pax_open_kernel(cr0);
2306 _set_gate(idt_table+n,14,0,addr,__KERNEL_CS);
2308 +#ifdef CONFIG_PAX_KERNEXEC
2309 + pax_close_kernel(cr0);
2315 diff -urNp linux-2.6.16.12/arch/i386/kernel/vm86.c linux-2.6.16.12/arch/i386/kernel/vm86.c
2316 --- linux-2.6.16.12/arch/i386/kernel/vm86.c 2006-05-01 15:14:26.000000000 -0400
2317 +++ linux-2.6.16.12/arch/i386/kernel/vm86.c 2006-05-01 20:17:33.000000000 -0400
2318 @@ -123,7 +123,7 @@ struct pt_regs * fastcall save_v86_state
2322 - tss = &per_cpu(init_tss, get_cpu());
2323 + tss = init_tss + get_cpu();
2324 current->thread.esp0 = current->thread.saved_esp0;
2325 current->thread.sysenter_cs = __KERNEL_CS;
2326 load_esp0(tss, ¤t->thread);
2327 @@ -297,7 +297,7 @@ static void do_sys_vm86(struct kernel_vm
2328 savesegment(fs, tsk->thread.saved_fs);
2329 savesegment(gs, tsk->thread.saved_gs);
2331 - tss = &per_cpu(init_tss, get_cpu());
2332 + tss = init_tss + get_cpu();
2333 tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
2335 tsk->thread.sysenter_cs = 0;
2336 diff -urNp linux-2.6.16.12/arch/i386/kernel/vmlinux.lds.S linux-2.6.16.12/arch/i386/kernel/vmlinux.lds.S
2337 --- linux-2.6.16.12/arch/i386/kernel/vmlinux.lds.S 2006-05-01 15:14:26.000000000 -0400
2338 +++ linux-2.6.16.12/arch/i386/kernel/vmlinux.lds.S 2006-05-01 20:17:33.000000000 -0400
2341 #define LOAD_OFFSET __PAGE_OFFSET
2343 +#include <linux/config.h>
2345 #include <asm-generic/vmlinux.lds.h>
2346 #include <asm/thread_info.h>
2347 #include <asm/page.h>
2348 +#include <asm/segment.h>
2350 +#ifdef CONFIG_X86_PAE
2351 +#define PMD_SHIFT 21
2353 +#define PMD_SHIFT 22
2356 OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
2358 @@ -15,67 +24,17 @@ jiffies = jiffies_64;
2362 - phys_startup_32 = startup_32 - LOAD_OFFSET;
2364 - _text = .; /* Text and read-only data */
2365 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
2374 - _etext = .; /* End of text section */
2376 - . = ALIGN(16); /* Exception table */
2377 - __start___ex_table = .;
2378 - __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) { *(__ex_table) }
2379 - __stop___ex_table = .;
2382 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
2385 - .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
2388 + .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
2389 + BYTE(0xEA) /* jmp far */
2390 + LONG(phys_startup_32)
2395 - __nosave_begin = .;
2396 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
2401 - .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
2406 - .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
2407 - *(.data.cacheline_aligned)
2410 - /* rarely changed data like cpu maps */
2412 - .data.read_mostly : AT(ADDR(.data.read_mostly) - LOAD_OFFSET) { *(.data.read_mostly) }
2413 - _edata = .; /* End of data section */
2415 - . = ALIGN(THREAD_SIZE); /* init_task */
2416 - .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
2417 - *(.data.init_task)
2420 /* will be freed after init */
2421 . = ALIGN(4096); /* Init code and data */
2423 - .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
2428 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
2431 @@ -107,9 +66,7 @@ SECTIONS
2432 .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
2433 *(.altinstr_replacement)
2435 - /* .exit.text is discard at runtime, not link time, to deal with references
2436 - from .altinstructions and .eh_frame */
2437 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
2439 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
2441 __initramfs_start = .;
2442 @@ -119,10 +76,108 @@ SECTIONS
2443 __per_cpu_start = .;
2444 .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) { *(.data.percpu) }
2451 + .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
2457 + /* .exit.text is discard at runtime, not link time, to deal with references
2458 + from .altinstructions and .eh_frame */
2459 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
2461 +#ifdef CONFIG_PAX_KERNEXEC
2462 + .text.align : AT(ADDR(.text.align) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
2463 + . = ALIGN(__KERNEL_TEXT_OFFSET - LOAD_OFFSET) - 1;
2470 + __init_end = . + __KERNEL_TEXT_OFFSET;
2471 /* freed after init ends here */
2474 + _text = .; /* Text and read-only data */
2475 + .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
2484 + _etext = .; /* End of text section */
2485 + . += __KERNEL_TEXT_OFFSET;
2486 + . = ALIGN(16); /* Exception table */
2487 + __start___ex_table = .;
2488 + __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) { *(__ex_table) }
2489 + __stop___ex_table = .;
2492 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
2493 + *(.empty_zero_page)
2495 +#ifdef CONFIG_X86_PAE
2496 + *(.swapper_pm_dir)
2499 + *(.swapper_pg_dir)
2505 +#ifdef CONFIG_PAX_KERNEXEC
2507 + MODULES_VADDR = .;
2509 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
2510 + . += (4 * 1024 * 1024);
2511 + . = ALIGN(1 << PMD_SHIFT) - 1;
2521 + .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
2528 + __nosave_begin = .;
2529 + .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
2534 + .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
2535 + *(.data.cacheline_aligned)
2538 + /* rarely changed data like cpu maps */
2540 + .data.read_mostly : AT(ADDR(.data.read_mostly) - LOAD_OFFSET) { *(.data.read_mostly) }
2542 + . = ALIGN(THREAD_SIZE); /* init_task */
2543 + .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
2544 + *(.data.init_task)
2547 + _edata = .; /* End of data section */
2550 __bss_start = .; /* BSS */
2551 .bss.page_aligned : AT(ADDR(.bss.page_aligned) - LOAD_OFFSET) {
2552 *(.bss.page_aligned)
2553 diff -urNp linux-2.6.16.12/arch/i386/mach-voyager/voyager_smp.c linux-2.6.16.12/arch/i386/mach-voyager/voyager_smp.c
2554 --- linux-2.6.16.12/arch/i386/mach-voyager/voyager_smp.c 2006-05-01 15:14:26.000000000 -0400
2555 +++ linux-2.6.16.12/arch/i386/mach-voyager/voyager_smp.c 2006-05-01 20:17:33.000000000 -0400
2556 @@ -1295,7 +1295,7 @@ smp_local_timer_interrupt(struct pt_regs
2557 per_cpu(prof_counter, cpu);
2560 - update_process_times(user_mode_vm(regs));
2561 + update_process_times(user_mode(regs));
2564 if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
2565 diff -urNp linux-2.6.16/arch/i386/mm/boot_ioremap.c linux-2.6.16/arch/i386/mm/boot_ioremap.c
2566 --- linux-2.6.16/arch/i386/mm/boot_ioremap.c 2007-04-02 01:58:56.298176750 +0200
2567 +++ linux-2.6.16/arch/i386/mm/boot_ioremap.c 2007-04-02 02:02:20.994969500 +0200
2569 * Written by Dave Hansen <haveblue@us.ibm.com>
2574 - * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
2575 - * keeps that from happenning. If anyone has a better way, I'm listening.
2577 - * boot_pte_t is defined only if this all works correctly
2580 #include <linux/config.h>
2581 -#undef CONFIG_X86_PAE
2582 #include <asm/page.h>
2583 #include <asm/pgtable.h>
2584 #include <asm/tlbflush.h>
2585 #include <linux/init.h>
2586 #include <linux/stddef.h>
2589 - * I'm cheating here. It is known that the two boot PTE pages are
2590 - * allocated next to each other. I'm pretending that they're just
2594 -#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
2596 -static unsigned long boot_pte_index(unsigned long vaddr)
2598 - return __pa(vaddr) >> PAGE_SHIFT;
2601 -static inline boot_pte_t* boot_vaddr_to_pte(void *address)
2603 - boot_pte_t* boot_pg = (boot_pte_t*)pg0;
2604 - return &boot_pg[boot_pte_index((unsigned long)address)];
2608 * This is only for a caller who is clever enough to page-align
2609 * phys_addr and virtual_source, and who also has a preference
2610 * about which virtual address from which to steal ptes
2612 -static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
2613 - void* virtual_source)
2614 +static void __init __boot_ioremap(unsigned long phys_addr, unsigned int nrpages,
2615 + char* virtual_source)
2619 - char *vaddr = virtual_source;
2625 + unsigned long vaddr = (unsigned long)virtual_source;
2627 + pgd = pgd_offset_k(vaddr);
2628 + pud = pud_offset(pgd, vaddr);
2629 + pmd = pmd_offset(pud, vaddr);
2630 + pte = pte_offset_kernel(pmd, vaddr);
2632 - pte = boot_vaddr_to_pte(virtual_source);
2633 for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
2634 set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
2635 - __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
2636 + __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
2640 diff -urNp linux-2.6.16.12/arch/i386/mm/extable.c linux-2.6.16.12/arch/i386/mm/extable.c
2641 --- linux-2.6.16.12/arch/i386/mm/extable.c 2006-05-01 15:14:26.000000000 -0400
2642 +++ linux-2.6.16.12/arch/i386/mm/extable.c 2006-05-01 20:17:33.000000000 -0400
2643 @@ -12,7 +12,7 @@ int fixup_exception(struct pt_regs *regs
2644 const struct exception_table_entry *fixup;
2646 #ifdef CONFIG_PNPBIOS
2647 - if (unlikely((regs->xcs & ~15) == (GDT_ENTRY_PNPBIOS_BASE << 3)))
2648 + if (unlikely(regs->xcs == (GDT_ENTRY_PNPBIOS_BASE << 3)))
2650 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
2651 extern u32 pnp_bios_is_utter_crap;
2652 diff -urNp linux-2.6.16.12/arch/i386/mm/fault.c linux-2.6.16.12/arch/i386/mm/fault.c
2653 --- linux-2.6.16.12/arch/i386/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
2654 +++ linux-2.6.16.12/arch/i386/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
2656 #include <linux/highmem.h>
2657 #include <linux/module.h>
2658 #include <linux/kprobes.h>
2659 +#include <linux/unistd.h>
2660 +#include <linux/compiler.h>
2661 +#include <linux/binfmts.h>
2663 #include <asm/system.h>
2664 #include <asm/uaccess.h>
2665 @@ -82,11 +85,13 @@ static inline unsigned long get_segment_
2667 /* Unlikely, but must come before segment checks. */
2668 if (unlikely((regs->eflags & VM_MASK) != 0))
2669 - return eip + (seg << 4);
2670 + return (eip & 0xFFFF) + (seg << 4);
2672 /* By far the most common cases. */
2673 - if (likely(seg == __USER_CS || seg == __KERNEL_CS))
2674 + if (likely(seg == __USER_CS))
2676 + if (likely(seg == __KERNEL_CS))
2677 + return eip + __KERNEL_TEXT_OFFSET;
2679 /* Check the segment exists, is within the current LDT/GDT size,
2680 that kernel/user (ring 0..3) has the appropriate privilege,
2681 @@ -108,7 +113,7 @@ static inline unsigned long get_segment_
2682 desc = (void *)desc + (seg & ~7);
2684 /* Must disable preemption while reading the GDT. */
2685 - desc = (u32 *)get_cpu_gdt_table(get_cpu());
2686 + desc = (u32 *)get_cpu_gdt_table(get_cpu());
2687 desc = (void *)desc + (seg & ~7);
2690 @@ -214,6 +219,30 @@ static noinline void force_sig_info_faul
2692 fastcall void do_invalid_op(struct pt_regs *, unsigned long);
2694 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
2695 +static int pax_handle_fetch_fault(struct pt_regs *regs);
2698 +#ifdef CONFIG_PAX_PAGEEXEC
2699 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
2705 + pgd = pgd_offset(mm, address);
2706 + if (!pgd_present(*pgd))
2708 + pud = pud_offset(pgd, address);
2709 + if (!pud_present(*pud))
2711 + pmd = pmd_offset(pud, address);
2712 + if (!pmd_present(*pmd))
2719 * This routine handles page faults. It determines the address,
2720 * and the problem, and then passes it off to one of the appropriate
2721 @@ -231,9 +260,15 @@ fastcall void __kprobes do_page_fault(st
2722 struct mm_struct *mm;
2723 struct vm_area_struct * vma;
2724 unsigned long address;
2725 - unsigned long page;
2728 +#ifdef CONFIG_PAX_PAGEEXEC
2732 + unsigned char pte_mask;
2735 /* get the address */
2736 address = read_cr2();
2738 @@ -245,6 +280,7 @@ fastcall void __kprobes do_page_fault(st
2744 si_code = SEGV_MAPERR;
2746 @@ -271,14 +307,12 @@ fastcall void __kprobes do_page_fault(st
2747 goto bad_area_nosemaphore;
2753 * If we're in an interrupt, have no user context or are running in an
2754 * atomic region then we must not take the fault..
2756 if (in_atomic() || !mm)
2757 - goto bad_area_nosemaphore;
2758 + goto bad_area_nopax;
2760 /* When running in the kernel we expect faults to occur only to
2761 * addresses in user space. All other faults represent errors in the
2762 @@ -298,10 +332,98 @@ fastcall void __kprobes do_page_fault(st
2763 if (!down_read_trylock(&mm->mmap_sem)) {
2764 if ((error_code & 4) == 0 &&
2765 !search_exception_tables(regs->eip))
2766 - goto bad_area_nosemaphore;
2767 + goto bad_area_nopax;
2768 down_read(&mm->mmap_sem);
2771 +#ifdef CONFIG_PAX_PAGEEXEC
2772 + if (unlikely((error_code & 5) != 5 ||
2773 + (regs->eflags & X86_EFLAGS_VM) ||
2774 + !(mm->pax_flags & MF_PAX_PAGEEXEC)))
2775 + goto not_pax_fault;
2777 + /* PaX: it's our fault, let's handle it if we can */
2779 + /* PaX: take a look at read faults before acquiring any locks */
2780 + if (unlikely(!(error_code & 2) && (regs->eip == address))) {
2781 + /* instruction fetch attempt from a protected page in user mode */
2782 + up_read(&mm->mmap_sem);
2783 + switch (pax_handle_fetch_fault(regs)) {
2785 +#ifdef CONFIG_PAX_EMUTRAMP
2791 + pax_report_fault(regs, (void*)regs->eip, (void*)regs->esp);
2795 + pmd = pax_get_pmd(mm, address);
2796 + if (unlikely(!pmd))
2797 + goto not_pax_fault;
2799 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
2800 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
2801 + pte_unmap_unlock(pte, ptl);
2802 + goto not_pax_fault;
2805 + if (unlikely((error_code & 2) && !pte_write(*pte))) {
2806 + /* write attempt to a protected page in user mode */
2807 + pte_unmap_unlock(pte, ptl);
2808 + goto not_pax_fault;
2812 + if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
2814 + if (likely(address > get_limit(regs->xcs)))
2817 + set_pte(pte, pte_mkread(*pte));
2818 + __flush_tlb_one(address);
2819 + pte_unmap_unlock(pte, ptl);
2820 + up_read(&mm->mmap_sem);
2824 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
2827 + * PaX: fill DTLB with user rights and retry
2829 + __asm__ __volatile__ (
2831 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
2833 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
2834 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
2835 + * page fault when examined during a TLB load attempt. this is true not only
2836 + * for PTEs holding a non-present entry but also present entries that will
2837 + * raise a page fault (such as those set up by PaX, or the copy-on-write
2838 + * mechanism). in effect it means that we do *not* need to flush the TLBs
2839 + * for our target pages since their PTEs are simply not in the TLBs at all.
2841 + * the best thing in omitting it is that we gain around 15-20% speed in the
2842 + * fast path of the page fault handler and can get rid of tracing since we
2843 + * can no longer flush unintended entries.
2850 + : "m" (*(char*)address), "m" (*(char*)pte), "q" (pte_mask), "i" (_PAGE_USER)
2851 + : "memory", "cc");
2852 + pte_unmap_unlock(pte, ptl);
2853 + up_read(&mm->mmap_sem);
2859 vma = find_vma(mm, address);
2862 @@ -387,6 +509,37 @@ bad_area:
2863 up_read(&mm->mmap_sem);
2865 bad_area_nosemaphore:
2867 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
2868 + if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
2870 +#ifdef CONFIG_PAX_PAGEEXEC
2871 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address)) {
2872 + pax_report_fault(regs, (void*)regs->eip, (void*)regs->esp);
2877 +#ifdef CONFIG_PAX_SEGMEXEC
2878 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
2880 + switch (pax_handle_fetch_fault(regs)) {
2882 +#ifdef CONFIG_PAX_EMUTRAMP
2888 + pax_report_fault(regs, (void*)regs->eip, (void*)regs->esp);
2897 /* User mode accesses just cause a SIGSEGV */
2898 if (error_code & 4) {
2900 @@ -450,28 +603,53 @@ no_context:
2902 if (address < PAGE_SIZE)
2903 printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
2905 +#ifdef CONFIG_PAX_KERNEXEC
2906 +#ifdef CONFIG_MODULES
2907 + else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
2909 + else if (init_mm.start_code <= address && address < init_mm.end_code)
2911 + if (tsk->signal->curr_ip)
2912 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
2913 + NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
2915 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
2916 + tsk->comm, tsk->pid, tsk->uid, tsk->euid);
2920 printk(KERN_ALERT "Unable to handle kernel paging request");
2921 printk(" at virtual address %08lx\n",address);
2922 printk(KERN_ALERT " printing eip:\n");
2923 printk("%08lx\n", regs->eip);
2924 - page = read_cr3();
2925 - page = ((unsigned long *) __va(page))[address >> 22];
2926 - printk(KERN_ALERT "*pde = %08lx\n", page);
2928 - * We must not directly access the pte in the highpte
2929 - * case, the page table might be allocated in highmem.
2930 - * And lets rather not kmap-atomic the pte, just in case
2931 - * it's allocated already.
2934 + unsigned long index = pgd_index(address);
2940 + pgd = index + (pgd_t *)__va(read_cr3());
2941 + printk(KERN_ALERT "*pgd = %*llx\n", sizeof(*pgd), (unsigned long long)pgd_val(*pgd));
2942 + if (pgd_present(*pgd)) {
2943 + pud = pud_offset(pgd, address);
2944 + pmd = pmd_offset(pud, address);
2945 + printk(KERN_ALERT "*pmd = %*llx\n", sizeof(*pmd), (unsigned long long)pmd_val(*pmd));
2947 + * We must not directly access the pte in the highpte
2948 + * case, the page table might be allocated in highmem.
2949 + * And lets rather not kmap-atomic the pte, just in case
2950 + * it's allocated already.
2952 #ifndef CONFIG_HIGHPTE
2954 - page &= PAGE_MASK;
2955 - address &= 0x003ff000;
2956 - page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT];
2957 - printk(KERN_ALERT "*pte = %08lx\n", page);
2959 + if (pmd_present(*pmd) && !pmd_large(*pmd)) {
2960 + pte = pte_offset_kernel(pmd, address);
2961 + printk(KERN_ALERT "*pte = %*llx\n", sizeof(*pte), (unsigned long long)pte_val(*pte));
2966 tsk->thread.cr2 = address;
2967 tsk->thread.trap_no = 14;
2968 tsk->thread.error_code = error_code;
2969 @@ -521,7 +699,7 @@ vmalloc_fault:
2970 * Do _not_ use "tsk" here. We might be inside
2971 * an interrupt in the middle of a task switch..
2973 - int index = pgd_index(address);
2974 + unsigned long index = pgd_index(address);
2975 unsigned long pgd_paddr;
2978 @@ -558,3 +736,105 @@ vmalloc_fault:
2983 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
2985 + * PaX: decide what to do with offenders (regs->eip = fault address)
2987 + * returns 1 when task should be killed
2988 + * 2 when gcc trampoline was detected
2990 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2993 +#ifdef CONFIG_PAX_EMUTRAMP
2994 + static const unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4};
2998 + if (regs->eflags & X86_EFLAGS_VM)
3001 +#ifdef CONFIG_PAX_EMUTRAMP
3002 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3005 + do { /* PaX: gcc trampoline emulation #1 */
3006 + unsigned char mov1, mov2;
3007 + unsigned short jmp;
3008 + unsigned long addr1, addr2;
3010 + err = get_user(mov1, (unsigned char __user *)regs->eip);
3011 + err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
3012 + err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
3013 + err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
3014 + err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
3019 + if ((mov1 & 0xF8) == 0xB8 &&
3020 + (mov2 & 0xF8) == 0xB8 &&
3021 + (mov1 & 0x07) != (mov2 & 0x07) &&
3022 + (jmp & 0xF8FF) == 0xE0FF &&
3023 + (mov2 & 0x07) == ((jmp>>8) & 0x07))
3025 + ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1;
3026 + ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2;
3027 + regs->eip = addr2;
3032 + do { /* PaX: gcc trampoline emulation #2 */
3033 + unsigned char mov, jmp;
3034 + unsigned long addr1, addr2;
3036 + err = get_user(mov, (unsigned char __user *)regs->eip);
3037 + err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
3038 + err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
3039 + err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
3044 + if ((mov & 0xF8) == 0xB8 &&
3047 + ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
3048 + regs->eip += addr2 + 10;
3054 + return 1; /* PaX in action */
3058 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
3059 +void pax_report_insns(void *pc, void *sp)
3063 + printk(KERN_ERR "PAX: bytes at PC: ");
3064 + for (i = 0; i < 20; i++) {
3066 + if (get_user(c, (unsigned char __user *)pc+i))
3069 + printk("%02x ", c);
3073 + printk(KERN_ERR "PAX: bytes at SP-4: ");
3074 + for (i = -1; i < 20; i++) {
3076 + if (get_user(c, (unsigned long __user *)sp+i))
3077 + printk("???????? ");
3079 + printk("%08lx ", c);
3084 diff -urNp linux-2.6.16.12/arch/i386/mm/hugetlbpage.c linux-2.6.16.12/arch/i386/mm/hugetlbpage.c
3085 --- linux-2.6.16.12/arch/i386/mm/hugetlbpage.c 2006-05-01 15:14:26.000000000 -0400
3086 +++ linux-2.6.16.12/arch/i386/mm/hugetlbpage.c 2006-05-01 20:17:33.000000000 -0400
3087 @@ -133,7 +133,12 @@ static unsigned long hugetlb_get_unmappe
3089 struct mm_struct *mm = current->mm;
3090 struct vm_area_struct *vma;
3091 - unsigned long start_addr;
3092 + unsigned long start_addr, task_size = TASK_SIZE;
3094 +#ifdef CONFIG_PAX_SEGMEXEC
3095 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
3096 + task_size = SEGMEXEC_TASK_SIZE;
3099 if (len > mm->cached_hole_size) {
3100 start_addr = mm->free_area_cache;
3101 @@ -147,7 +152,7 @@ full_search:
3103 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
3104 /* At this point: (!vma || addr < vma->vm_end). */
3105 - if (TASK_SIZE - len < addr) {
3106 + if (task_size - len < addr) {
3108 * Start a new search - just in case we missed
3110 @@ -175,9 +180,8 @@ static unsigned long hugetlb_get_unmappe
3112 struct mm_struct *mm = current->mm;
3113 struct vm_area_struct *vma, *prev_vma;
3114 - unsigned long base = mm->mmap_base, addr = addr0;
3115 + unsigned long base = mm->mmap_base, addr;
3116 unsigned long largest_hole = mm->cached_hole_size;
3117 - int first_time = 1;
3119 /* don't allow allocations above current base */
3120 if (mm->free_area_cache > base)
3121 @@ -187,7 +191,7 @@ static unsigned long hugetlb_get_unmappe
3123 mm->free_area_cache = base;
3127 /* make sure it can fit in the remaining address space */
3128 if (mm->free_area_cache < len)
3130 @@ -229,16 +233,6 @@ try_again:
3134 - * if hint left us with no space for the requested
3135 - * mapping then try again:
3138 - mm->free_area_cache = base;
3144 * A failed mmap() very likely causes application failure,
3145 * so fall back to the bottom-up function here. This scenario
3146 * can happen with large stack limits and large mmap()
3147 @@ -264,16 +258,23 @@ hugetlb_get_unmapped_area(struct file *f
3149 struct mm_struct *mm = current->mm;
3150 struct vm_area_struct *vma;
3151 + unsigned long task_size = TASK_SIZE;
3153 if (len & ~HPAGE_MASK)
3155 - if (len > TASK_SIZE)
3157 +#ifdef CONFIG_PAX_SEGMEXEC
3158 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
3159 + task_size = SEGMEXEC_TASK_SIZE;
3162 + if (len > task_size || addr > task_size - len)
3166 addr = ALIGN(addr, HPAGE_SIZE);
3167 vma = find_vma(mm, addr);
3168 - if (TASK_SIZE - len >= addr &&
3169 + if (task_size - len >= addr &&
3170 (!vma || addr + len <= vma->vm_start))
3173 diff -urNp linux-2.6.16.12/arch/i386/mm/init.c linux-2.6.16.12/arch/i386/mm/init.c
3174 --- linux-2.6.16.12/arch/i386/mm/init.c 2006-05-01 15:14:26.000000000 -0400
3175 +++ linux-2.6.16.12/arch/i386/mm/init.c 2006-05-01 20:17:33.000000000 -0400
3177 #include <asm/tlb.h>
3178 #include <asm/tlbflush.h>
3179 #include <asm/sections.h>
3180 +#include <asm/desc.h>
3182 unsigned int __VMALLOC_RESERVE = 128 << 20;
3184 @@ -52,30 +53,6 @@ unsigned long highstart_pfn, highend_pfn
3188 - * Creates a middle page table and puts a pointer to it in the
3189 - * given global directory entry. This only returns the gd entry
3190 - * in non-PAE compilation mode, since the middle layer is folded.
3192 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
3197 -#ifdef CONFIG_X86_PAE
3198 - pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
3199 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
3200 - pud = pud_offset(pgd, 0);
3201 - if (pmd_table != pmd_offset(pud, 0))
3204 - pud = pud_offset(pgd, 0);
3205 - pmd_table = pmd_offset(pud, 0);
3212 * Create a page table and place a pointer to it in a middle page
3215 @@ -83,7 +60,11 @@ static pte_t * __init one_page_table_ini
3217 if (pmd_none(*pmd)) {
3218 pte_t *page_table = (pte_t *) alloc_bootmem_low_pages(PAGE_SIZE);
3219 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
3220 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
3222 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
3224 if (page_table != pte_offset_kernel(pmd, 0))
3227 @@ -118,8 +99,6 @@ static void __init page_table_range_init
3228 pgd = pgd_base + pgd_idx;
3230 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
3231 - if (pgd_none(*pgd))
3232 - one_md_table_init(pgd);
3233 pud = pud_offset(pgd, vaddr);
3234 pmd = pmd_offset(pud, vaddr);
3235 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
3236 @@ -132,11 +111,22 @@ static void __init page_table_range_init
3240 -static inline int is_kernel_text(unsigned long addr)
3241 +static inline int is_kernel_text(unsigned long start, unsigned long end)
3243 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
3246 + unsigned long etext;
3248 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
3249 + etext = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
3251 + etext = (unsigned long)&_etext;
3254 + if ((start > etext + __KERNEL_TEXT_OFFSET ||
3255 + end <= (unsigned long)_stext + __KERNEL_TEXT_OFFSET) &&
3256 + (start > (unsigned long)_einittext + __KERNEL_TEXT_OFFSET ||
3257 + end <= (unsigned long)_sinittext + __KERNEL_TEXT_OFFSET))
3263 @@ -148,26 +138,24 @@ static void __init kernel_physical_mappi
3270 - int pgd_idx, pmd_idx, pte_ofs;
3271 + unsigned int pgd_idx, pmd_idx, pte_ofs;
3273 pgd_idx = pgd_index(PAGE_OFFSET);
3274 pgd = pgd_base + pgd_idx;
3277 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
3278 - pmd = one_md_table_init(pgd);
3279 - if (pfn >= max_low_pfn)
3281 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
3282 + pud = pud_offset(pgd, 0);
3283 + pmd = pmd_offset(pud, 0);
3284 for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
3285 - unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
3286 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
3288 /* Map with big pages if possible, otherwise create normal page tables. */
3290 - unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
3292 - if (is_kernel_text(address) || is_kernel_text(address2))
3293 + if (is_kernel_text(address, address + PMD_SIZE))
3294 set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
3296 set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
3297 @@ -176,7 +164,7 @@ static void __init kernel_physical_mappi
3298 pte = one_page_table_init(pmd);
3300 for (pte_ofs = 0; pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn; pte++, pfn++, pte_ofs++) {
3301 - if (is_kernel_text(address))
3302 + if (is_kernel_text(address, address + PAGE_SIZE))
3303 set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
3305 set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
3306 @@ -347,13 +335,6 @@ static void __init pagetable_init (void)
3307 unsigned long vaddr;
3308 pgd_t *pgd_base = swapper_pg_dir;
3310 -#ifdef CONFIG_X86_PAE
3312 - /* Init entries of the first-level page table to the zero page */
3313 - for (i = 0; i < PTRS_PER_PGD; i++)
3314 - set_pgd(pgd_base + i, __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
3317 /* Enable PSE if available */
3319 set_in_cr4(X86_CR4_PSE);
3320 @@ -377,17 +358,6 @@ static void __init pagetable_init (void)
3321 page_table_range_init(vaddr, 0, pgd_base);
3323 permanent_kmaps_init(pgd_base);
3325 -#ifdef CONFIG_X86_PAE
3327 - * Add low memory identity-mappings - SMP needs it when
3328 - * starting up on an AP from real-mode. In the non-PAE
3329 - * case we already have these mappings through head.S.
3330 - * All user-space mappings are explicitly cleared after
3333 - set_pgd(&pgd_base[0], pgd_base[USER_PTRS_PER_PGD]);
3338 @@ -429,7 +399,6 @@ void zap_low_mappings (void)
3342 -static int disable_nx __initdata = 0;
3343 u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
3346 @@ -443,11 +412,9 @@ u64 __supported_pte_mask __read_mostly =
3347 void __init noexec_setup(const char *str)
3349 if (!strncmp(str, "on",2) && cpu_has_nx) {
3350 - __supported_pte_mask |= _PAGE_NX;
3353 } else if (!strncmp(str,"off",3)) {
3355 - __supported_pte_mask &= ~_PAGE_NX;
3360 @@ -456,17 +423,13 @@ int nx_enabled = 0;
3362 static void __init set_nx(void)
3364 - unsigned int v[4], l, h;
3365 + if (!nx_enabled && cpu_has_nx) {
3368 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
3369 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
3370 - if ((v[3] & (1 << 20)) && !disable_nx) {
3371 - rdmsr(MSR_EFER, l, h);
3373 - wrmsr(MSR_EFER, l, h);
3375 - __supported_pte_mask |= _PAGE_NX;
3377 + __supported_pte_mask &= ~_PAGE_NX;
3378 + rdmsr(MSR_EFER, l, h);
3380 + wrmsr(MSR_EFER, l, h);
3384 @@ -518,14 +481,6 @@ void __init paging_init(void)
3386 load_cr3(swapper_pg_dir);
3388 -#ifdef CONFIG_X86_PAE
3390 - * We will bail out later - printk doesn't work right now so
3391 - * the user would just see a hanging kernel.
3394 - set_in_cr4(X86_CR4_PAE);
3399 @@ -628,7 +583,7 @@ void __init mem_init(void)
3400 set_highmem_pages_init(bad_ppro);
3402 codesize = (unsigned long) &_etext - (unsigned long) &_text;
3403 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
3404 + datasize = (unsigned long) &_edata - (unsigned long) &_data;
3405 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
3407 kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
3408 @@ -645,10 +600,6 @@ void __init mem_init(void)
3409 (unsigned long) (totalhigh_pages << (PAGE_SHIFT-10))
3412 -#ifdef CONFIG_X86_PAE
3414 - panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
3416 if (boot_cpu_data.wp_works_ok < 0)
3419 @@ -741,6 +692,36 @@ void free_initmem(void)
3423 +#ifdef CONFIG_PAX_KERNEXEC
3424 + /* PaX: limit KERNEL_CS to actual size */
3425 + unsigned long limit;
3431 +#ifdef CONFIG_MODULES
3432 + limit = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
3434 + limit = (unsigned long)&_etext;
3436 + limit = (limit - 1UL) >> PAGE_SHIFT;
3438 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
3439 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS].a = (get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS].a & 0xFFFF0000UL) | (limit & 0x0FFFFUL);
3440 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS].b = (get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS].b & 0xFFF0FFFFUL) | (limit & 0xF0000UL);
3443 + /* PaX: make KERNEL_CS read-only */
3444 + for (addr = __KERNEL_TEXT_OFFSET; addr < (unsigned long)&_data; addr += PMD_SIZE) {
3445 + pgd = pgd_offset_k(addr);
3446 + pud = pud_offset(pgd, addr);
3447 + pmd = pmd_offset(pud, addr);
3448 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
3453 addr = (unsigned long)(&__init_begin);
3454 for (; addr < (unsigned long)(&__init_end); addr += PAGE_SIZE) {
3455 ClearPageReserved(virt_to_page(addr));
3456 diff -urNp linux-2.6.16.12/arch/i386/mm/mmap.c linux-2.6.16.12/arch/i386/mm/mmap.c
3457 --- linux-2.6.16.12/arch/i386/mm/mmap.c 2006-05-01 15:14:26.000000000 -0400
3458 +++ linux-2.6.16.12/arch/i386/mm/mmap.c 2006-05-01 20:17:33.000000000 -0400
3460 * Leave an at least ~128 MB hole.
3462 #define MIN_GAP (128*1024*1024)
3463 -#define MAX_GAP (TASK_SIZE/6*5)
3464 +#define MAX_GAP (task_size/6*5)
3466 static inline unsigned long mmap_base(struct mm_struct *mm)
3468 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
3469 unsigned long random_factor = 0;
3470 + unsigned long task_size = TASK_SIZE;
3472 +#ifdef CONFIG_PAX_SEGMEXEC
3473 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
3474 + task_size = SEGMEXEC_TASK_SIZE;
3477 if (current->flags & PF_RANDOMIZE)
3478 random_factor = get_random_int() % (1024*1024);
3479 @@ -49,7 +55,7 @@ static inline unsigned long mmap_base(st
3480 else if (gap > MAX_GAP)
3483 - return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
3484 + return PAGE_ALIGN(task_size - gap - random_factor);
3488 @@ -66,10 +72,22 @@ void arch_pick_mmap_layout(struct mm_str
3489 (current->personality & ADDR_COMPAT_LAYOUT) ||
3490 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
3491 mm->mmap_base = TASK_UNMAPPED_BASE;
3493 +#ifdef CONFIG_PAX_RANDMMAP
3494 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3495 + mm->mmap_base += mm->delta_mmap;
3498 mm->get_unmapped_area = arch_get_unmapped_area;
3499 mm->unmap_area = arch_unmap_area;
3501 mm->mmap_base = mmap_base(mm);
3503 +#ifdef CONFIG_PAX_RANDMMAP
3504 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3505 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3508 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3509 mm->unmap_area = arch_unmap_area_topdown;
3511 diff -urNp linux-2.6.16.12/arch/i386/mm/pageattr.c linux-2.6.16.12/arch/i386/mm/pageattr.c
3512 --- linux-2.6.16.12/arch/i386/mm/pageattr.c 2006-05-01 15:14:26.000000000 -0400
3513 +++ linux-2.6.16.12/arch/i386/mm/pageattr.c 2006-05-01 20:17:33.000000000 -0400
3515 #include <asm/tlbflush.h>
3516 #include <asm/pgalloc.h>
3517 #include <asm/sections.h>
3518 +#include <asm/desc.h>
3520 static DEFINE_SPINLOCK(cpa_lock);
3521 static struct list_head df_list = LIST_HEAD_INIT(df_list);
3522 @@ -77,7 +78,18 @@ static void set_pmd_pte(pte_t *kpte, uns
3524 unsigned long flags;
3526 +#ifdef CONFIG_PAX_KERNEXEC
3527 + unsigned long cr0;
3529 + pax_open_kernel(cr0);
3532 set_pte_atomic(kpte, pte); /* change init_mm */
3534 +#ifdef CONFIG_PAX_KERNEXEC
3535 + pax_close_kernel(cr0);
3538 if (PTRS_PER_PMD > 1)
3541 @@ -104,7 +116,7 @@ static inline void revert_page(struct pa
3545 - ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
3546 + ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
3547 ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
3550 @@ -136,7 +148,7 @@ __change_page_attr(struct page *page, pg
3554 - ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
3555 + ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
3556 ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
3557 split = split_large_page(address, prot, ref_prot);
3559 diff -urNp linux-2.6.16.12/arch/i386/oprofile/backtrace.c linux-2.6.16.12/arch/i386/oprofile/backtrace.c
3560 --- linux-2.6.16.12/arch/i386/oprofile/backtrace.c 2006-05-01 15:14:26.000000000 -0400
3561 +++ linux-2.6.16.12/arch/i386/oprofile/backtrace.c 2006-05-01 20:17:33.000000000 -0400
3562 @@ -116,7 +116,7 @@ x86_backtrace(struct pt_regs * const reg
3563 head = (struct frame_head *)regs->ebp;
3566 - if (!user_mode_vm(regs)) {
3567 + if (!user_mode(regs)) {
3568 while (depth-- && valid_kernel_stack(head, regs))
3569 head = dump_kernel_backtrace(head);
3571 diff -urNp linux-2.6.16.12/arch/i386/power/cpu.c linux-2.6.16.12/arch/i386/power/cpu.c
3572 --- linux-2.6.16.12/arch/i386/power/cpu.c 2006-05-01 15:14:26.000000000 -0400
3573 +++ linux-2.6.16.12/arch/i386/power/cpu.c 2006-05-01 20:17:33.000000000 -0400
3574 @@ -62,7 +62,7 @@ static void do_fpu_end(void)
3575 static void fix_processor_context(void)
3577 int cpu = smp_processor_id();
3578 - struct tss_struct * t = &per_cpu(init_tss, cpu);
3579 + struct tss_struct * t = init_tss + cpu;
3581 set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
3583 @@ -92,7 +92,7 @@ void __restore_processor_state(struct sa
3584 write_cr4(ctxt->cr4);
3585 write_cr3(ctxt->cr3);
3586 write_cr2(ctxt->cr2);
3587 - write_cr2(ctxt->cr0);
3588 + write_cr0(ctxt->cr0);
3591 * now restore the descriptor tables to their proper values
3592 diff -urNp linux-2.6.16.12/arch/ia64/ia32/binfmt_elf32.c linux-2.6.16.12/arch/ia64/ia32/binfmt_elf32.c
3593 --- linux-2.6.16.12/arch/ia64/ia32/binfmt_elf32.c 2006-05-01 15:14:26.000000000 -0400
3594 +++ linux-2.6.16.12/arch/ia64/ia32/binfmt_elf32.c 2006-05-01 20:17:33.000000000 -0400
3595 @@ -43,6 +43,17 @@ static void elf32_set_personality (void)
3597 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
3599 +#ifdef CONFIG_PAX_ASLR
3600 +#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
3602 +#define PAX_DELTA_MMAP_LSB(tsk) IA32_PAGE_SHIFT
3603 +#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - IA32_PAGE_SHIFT)
3604 +#define PAX_DELTA_EXEC_LSB(tsk) IA32_PAGE_SHIFT
3605 +#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - IA32_PAGE_SHIFT)
3606 +#define PAX_DELTA_STACK_LSB(tsk) IA32_PAGE_SHIFT
3607 +#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - IA32_PAGE_SHIFT)
3610 /* Ugly but avoids duplication */
3611 #include "../../../fs/binfmt_elf.c"
3613 diff -urNp linux-2.6.16.12/arch/ia64/ia32/ia32priv.h linux-2.6.16.12/arch/ia64/ia32/ia32priv.h
3614 --- linux-2.6.16.12/arch/ia64/ia32/ia32priv.h 2006-05-01 15:14:26.000000000 -0400
3615 +++ linux-2.6.16.12/arch/ia64/ia32/ia32priv.h 2006-05-01 20:17:33.000000000 -0400
3616 @@ -305,7 +305,14 @@ struct old_linux32_dirent {
3617 #define ELF_DATA ELFDATA2LSB
3618 #define ELF_ARCH EM_386
3620 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
3621 +#ifdef CONFIG_PAX_RANDUSTACK
3622 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
3624 +#define __IA32_DELTA_STACK 0UL
3627 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
3629 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
3630 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
3632 diff -urNp linux-2.6.16.12/arch/ia64/kernel/module.c linux-2.6.16.12/arch/ia64/kernel/module.c
3633 --- linux-2.6.16.12/arch/ia64/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
3634 +++ linux-2.6.16.12/arch/ia64/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
3635 @@ -322,7 +322,7 @@ module_alloc (unsigned long size)
3637 module_free (struct module *mod, void *module_region)
3639 - if (mod->arch.init_unw_table && module_region == mod->module_init) {
3640 + if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
3641 unw_remove_unwind_table(mod->arch.init_unw_table);
3642 mod->arch.init_unw_table = NULL;
3644 @@ -500,15 +500,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
3648 +in_init_rx (const struct module *mod, uint64_t addr)
3650 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
3654 +in_init_rw (const struct module *mod, uint64_t addr)
3656 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
3660 in_init (const struct module *mod, uint64_t addr)
3662 - return addr - (uint64_t) mod->module_init < mod->init_size;
3663 + return in_init_rx(mod, value) || in_init_rw(mod, value);
3667 +in_core_rx (const struct module *mod, uint64_t addr)
3669 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
3673 +in_core_rw (const struct module *mod, uint64_t addr)
3675 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
3679 in_core (const struct module *mod, uint64_t addr)
3681 - return addr - (uint64_t) mod->module_core < mod->core_size;
3682 + return in_core_rx(mod, value) || in_core_rw(mod, value);
3686 @@ -692,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
3690 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
3691 + if (in_init_rx(mod, val))
3692 + val -= (uint64_t) mod->module_init_rx;
3693 + else if (in_init_rw(mod, val))
3694 + val -= (uint64_t) mod->module_init_rw;
3695 + else if (in_core_rx(mod, val))
3696 + val -= (uint64_t) mod->module_core_rx;
3697 + else if (in_core_rw(mod, val))
3698 + val -= (uint64_t) mod->module_core_rw;
3702 @@ -826,15 +857,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
3703 * addresses have been selected...
3706 - if (mod->core_size > MAX_LTOFF)
3707 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
3709 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
3710 * at the end of the module.
3712 - gp = mod->core_size - MAX_LTOFF / 2;
3713 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
3715 - gp = mod->core_size / 2;
3716 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
3717 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
3718 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
3720 DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
3722 diff -urNp linux-2.6.16.12/arch/ia64/kernel/ptrace.c linux-2.6.16.12/arch/ia64/kernel/ptrace.c
3723 --- linux-2.6.16.12/arch/ia64/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
3724 +++ linux-2.6.16.12/arch/ia64/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
3726 #include <linux/audit.h>
3727 #include <linux/signal.h>
3728 #include <linux/vs_pid.h>
3729 +#include <linux/grsecurity.h>
3731 #include <asm/pgtable.h>
3732 #include <asm/processor.h>
3733 @@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
3734 if (pid == 1) /* no messing around with init! */
3737 + if (gr_handle_ptrace(child, request))
3740 if (request == PTRACE_ATTACH) {
3741 ret = ptrace_attach(child);
3743 diff -urNp linux-2.6.16.12/arch/ia64/kernel/sys_ia64.c linux-2.6.16.12/arch/ia64/kernel/sys_ia64.c
3744 --- linux-2.6.16.12/arch/ia64/kernel/sys_ia64.c 2006-05-01 15:14:26.000000000 -0400
3745 +++ linux-2.6.16.12/arch/ia64/kernel/sys_ia64.c 2006-05-01 20:17:33.000000000 -0400
3746 @@ -38,6 +38,13 @@ arch_get_unmapped_area (struct file *fil
3747 if (REGION_NUMBER(addr) == RGN_HPAGE)
3751 +#ifdef CONFIG_PAX_RANDMMAP
3752 + if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
3753 + addr = mm->free_area_cache;
3758 addr = mm->free_area_cache;
3760 @@ -56,9 +63,9 @@ arch_get_unmapped_area (struct file *fil
3761 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
3762 /* At this point: (!vma || addr < vma->vm_end). */
3763 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
3764 - if (start_addr != TASK_UNMAPPED_BASE) {
3765 + if (start_addr != mm->mmap_base) {
3766 /* Start a new search --- just in case we missed some holes. */
3767 - addr = TASK_UNMAPPED_BASE;
3768 + addr = mm->mmap_base;
3772 diff -urNp linux-2.6.16.12/arch/ia64/mm/fault.c linux-2.6.16.12/arch/ia64/mm/fault.c
3773 --- linux-2.6.16.12/arch/ia64/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
3774 +++ linux-2.6.16.12/arch/ia64/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
3776 #include <linux/interrupt.h>
3777 #include <linux/kprobes.h>
3778 #include <linux/vs_memory.h>
3779 +#include <linux/binfmts.h>
3781 #include <asm/pgtable.h>
3782 #include <asm/processor.h>
3783 @@ -52,6 +53,23 @@ mapped_kernel_page_is_present (unsigned
3784 return pte_present(pte);
3787 +#ifdef CONFIG_PAX_PAGEEXEC
3788 +void pax_report_insns(void *pc, void *sp)
3792 + printk(KERN_ERR "PAX: bytes at PC: ");
3793 + for (i = 0; i < 8; i++) {
3795 + if (get_user(c, (unsigned int*)pc+i))
3796 + printk("???????? ");
3798 + printk("%08x ", c);
3805 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
3807 @@ -114,9 +132,23 @@ ia64_do_page_fault (unsigned long addres
3808 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT)
3809 | (((isr >> IA64_ISR_R_BIT) & 1UL) << VM_READ_BIT));
3811 - if ((vma->vm_flags & mask) != mask)
3812 + if ((vma->vm_flags & mask) != mask) {
3814 +#ifdef CONFIG_PAX_PAGEEXEC
3815 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
3816 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
3819 + up_read(&mm->mmap_sem);
3820 + pax_report_fault(regs, (void*)regs->cr_iip, (void*)regs->r12);
3831 * If for any reason at all we couldn't handle the fault, make
3832 diff -urNp linux-2.6.16.12/arch/ia64/mm/init.c linux-2.6.16.12/arch/ia64/mm/init.c
3833 --- linux-2.6.16.12/arch/ia64/mm/init.c 2006-05-01 15:14:26.000000000 -0400
3834 +++ linux-2.6.16.12/arch/ia64/mm/init.c 2006-05-01 20:17:33.000000000 -0400
3836 #include <linux/swap.h>
3837 #include <linux/proc_fs.h>
3838 #include <linux/bitops.h>
3839 +#include <linux/a.out.h>
3841 -#include <asm/a.out.h>
3842 #include <asm/dma.h>
3843 #include <asm/ia32.h>
3845 diff -urNp linux-2.6.16.12/arch/mips/kernel/binfmt_elfn32.c linux-2.6.16.12/arch/mips/kernel/binfmt_elfn32.c
3846 --- linux-2.6.16.12/arch/mips/kernel/binfmt_elfn32.c 2006-05-01 15:14:26.000000000 -0400
3847 +++ linux-2.6.16.12/arch/mips/kernel/binfmt_elfn32.c 2006-05-01 20:17:33.000000000 -0400
3848 @@ -50,6 +50,17 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
3849 #undef ELF_ET_DYN_BASE
3850 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
3852 +#ifdef CONFIG_PAX_ASLR
3853 +#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
3855 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
3856 +#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3857 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
3858 +#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3859 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
3860 +#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3863 #include <asm/processor.h>
3864 #include <linux/module.h>
3865 #include <linux/elfcore.h>
3866 diff -urNp linux-2.6.16.12/arch/mips/kernel/binfmt_elfo32.c linux-2.6.16.12/arch/mips/kernel/binfmt_elfo32.c
3867 --- linux-2.6.16.12/arch/mips/kernel/binfmt_elfo32.c 2006-05-01 15:14:26.000000000 -0400
3868 +++ linux-2.6.16.12/arch/mips/kernel/binfmt_elfo32.c 2006-05-01 20:17:33.000000000 -0400
3869 @@ -52,6 +52,17 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
3870 #undef ELF_ET_DYN_BASE
3871 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
3873 +#ifdef CONFIG_PAX_ASLR
3874 +#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
3876 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
3877 +#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3878 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
3879 +#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3880 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
3881 +#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
3884 #include <asm/processor.h>
3885 #include <linux/module.h>
3886 #include <linux/elfcore.h>
3887 diff -urNp linux-2.6.16.12/arch/mips/kernel/syscall.c linux-2.6.16.12/arch/mips/kernel/syscall.c
3888 --- linux-2.6.16.12/arch/mips/kernel/syscall.c 2006-05-01 15:14:26.000000000 -0400
3889 +++ linux-2.6.16.12/arch/mips/kernel/syscall.c 2006-05-01 20:17:33.000000000 -0400
3890 @@ -90,6 +90,11 @@ unsigned long arch_get_unmapped_area(str
3892 if (filp || (flags & MAP_SHARED))
3895 +#ifdef CONFIG_PAX_RANDMMAP
3896 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
3901 addr = COLOUR_ALIGN(addr, pgoff);
3902 @@ -100,7 +105,7 @@ unsigned long arch_get_unmapped_area(str
3903 (!vmm || addr + len <= vmm->vm_start))
3906 - addr = TASK_UNMAPPED_BASE;
3907 + addr = current->mm->mmap_base;
3909 addr = COLOUR_ALIGN(addr, pgoff);
3911 diff -urNp linux-2.6.16.12/arch/mips/mm/fault.c linux-2.6.16.12/arch/mips/mm/fault.c
3912 --- linux-2.6.16.12/arch/mips/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
3913 +++ linux-2.6.16.12/arch/mips/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
3915 #include <asm/ptrace.h>
3916 #include <asm/highmem.h> /* For VMALLOC_END */
3918 +#ifdef CONFIG_PAX_PAGEEXEC
3919 +void pax_report_insns(void *pc)
3923 + printk(KERN_ERR "PAX: bytes at PC: ");
3924 + for (i = 0; i < 5; i++) {
3926 + if (get_user(c, (unsigned int*)pc+i))
3927 + printk("???????? ");
3929 + printk("%08x ", c);
3936 * This routine handles page faults. It determines the address,
3937 * and the problem, and then passes it off to one of the appropriate
3938 diff -urNp linux-2.6.16.12/arch/parisc/kernel/module.c linux-2.6.16.12/arch/parisc/kernel/module.c
3939 --- linux-2.6.16.12/arch/parisc/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
3940 +++ linux-2.6.16.12/arch/parisc/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
3943 /* three functions to determine where in the module core
3944 * or init pieces the location is */
3945 +static inline int is_init_rx(struct module *me, void *loc)
3947 + return (loc >= me->module_init_rx &&
3948 + loc < (me->module_init_rx + me->init_size_rx));
3951 +static inline int is_init_rw(struct module *me, void *loc)
3953 + return (loc >= me->module_init_rw &&
3954 + loc < (me->module_init_rw + me->init_size_rw));
3957 static inline int is_init(struct module *me, void *loc)
3959 - return (loc >= me->module_init &&
3960 - loc <= (me->module_init + me->init_size));
3961 + return is_init_rx(me, loc) || is_init_rw(me, loc);
3964 +static inline int is_core_rx(struct module *me, void *loc)
3966 + return (loc >= me->module_core_rx &&
3967 + loc < (me->module_core_rx + me->core_size_rx));
3970 +static inline int is_core_rw(struct module *me, void *loc)
3972 + return (loc >= me->module_core_rw &&
3973 + loc < (me->module_core_rw + me->core_size_rw));
3976 static inline int is_core(struct module *me, void *loc)
3978 - return (loc >= me->module_core &&
3979 - loc <= (me->module_core + me->core_size));
3980 + return is_core_rx(me, loc) || is_core_rw(me, loc);
3983 static inline int is_local(struct module *me, void *loc)
3984 @@ -289,21 +311,21 @@ int module_frob_arch_sections(CONST Elf_
3987 /* align things a bit */
3988 - me->core_size = ALIGN(me->core_size, 16);
3989 - me->arch.got_offset = me->core_size;
3990 - me->core_size += gots * sizeof(struct got_entry);
3992 - me->core_size = ALIGN(me->core_size, 16);
3993 - me->arch.fdesc_offset = me->core_size;
3994 - me->core_size += fdescs * sizeof(Elf_Fdesc);
3996 - me->core_size = ALIGN(me->core_size, 16);
3997 - me->arch.stub_offset = me->core_size;
3998 - me->core_size += stubs * sizeof(struct stub_entry);
4000 - me->init_size = ALIGN(me->init_size, 16);
4001 - me->arch.init_stub_offset = me->init_size;
4002 - me->init_size += init_stubs * sizeof(struct stub_entry);
4003 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
4004 + me->arch.got_offset = me->core_size_rw;
4005 + me->core_size_rw += gots * sizeof(struct got_entry);
4007 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
4008 + me->arch.fdesc_offset = me->core_size_rw;
4009 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
4011 + me->core_size_rx = ALIGN(me->core_size_rx, 16);
4012 + me->arch.stub_offset = me->core_size_rx;
4013 + me->core_size_rx += stubs * sizeof(struct stub_entry);
4015 + me->init_size_rx = ALIGN(me->init_size_rx, 16);
4016 + me->arch.init_stub_offset = me->init_size_rx;
4017 + me->init_size_rx += init_stubs * sizeof(struct stub_entry);
4019 me->arch.got_max = gots;
4020 me->arch.fdesc_max = fdescs;
4021 @@ -323,7 +345,7 @@ static Elf64_Word get_got(struct module
4025 - got = me->module_core + me->arch.got_offset;
4026 + got = me->module_core_rw + me->arch.got_offset;
4027 for (i = 0; got[i].addr; i++)
4028 if (got[i].addr == value)
4030 @@ -341,7 +363,7 @@ static Elf64_Word get_got(struct module
4032 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
4034 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
4035 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
4038 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
4039 @@ -359,7 +381,7 @@ static Elf_Addr get_fdesc(struct module
4041 /* Create new one */
4042 fdesc->addr = value;
4043 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
4044 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
4045 return (Elf_Addr)fdesc;
4047 #endif /* __LP64__ */
4048 @@ -373,12 +395,12 @@ static Elf_Addr get_stub(struct module *
4050 i = me->arch.init_stub_count++;
4051 BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
4052 - stub = me->module_init + me->arch.init_stub_offset +
4053 + stub = me->module_init_rx + me->arch.init_stub_offset +
4054 i * sizeof(struct stub_entry);
4056 i = me->arch.stub_count++;
4057 BUG_ON(me->arch.stub_count > me->arch.stub_max);
4058 - stub = me->module_core + me->arch.stub_offset +
4059 + stub = me->module_core_rx + me->arch.stub_offset +
4060 i * sizeof(struct stub_entry);
4063 @@ -721,7 +743,7 @@ register_unwind_table(struct module *me,
4065 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
4066 end = table + sechdrs[me->arch.unwind_section].sh_size;
4067 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
4068 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
4070 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
4071 me->arch.unwind_section, table, end, gp);
4072 diff -urNp linux-2.6.16.12/arch/parisc/kernel/ptrace.c linux-2.6.16.12/arch/parisc/kernel/ptrace.c
4073 --- linux-2.6.16.12/arch/parisc/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
4074 +++ linux-2.6.16.12/arch/parisc/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
4076 #include <linux/security.h>
4077 #include <linux/compat.h>
4078 #include <linux/signal.h>
4079 +#include <linux/grsecurity.h>
4081 #include <asm/uaccess.h>
4082 #include <asm/pgtable.h>
4083 diff -urNp linux-2.6.16.12/arch/parisc/kernel/sys_parisc.c linux-2.6.16.12/arch/parisc/kernel/sys_parisc.c
4084 --- linux-2.6.16.12/arch/parisc/kernel/sys_parisc.c 2006-05-01 15:14:26.000000000 -0400
4085 +++ linux-2.6.16.12/arch/parisc/kernel/sys_parisc.c 2006-05-01 20:17:33.000000000 -0400
4086 @@ -105,7 +105,7 @@ unsigned long arch_get_unmapped_area(str
4087 if (len > TASK_SIZE)
4090 - addr = TASK_UNMAPPED_BASE;
4091 + addr = current->mm->mmap_base;
4094 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
4095 diff -urNp linux-2.6.16.12/arch/parisc/kernel/traps.c linux-2.6.16.12/arch/parisc/kernel/traps.c
4096 --- linux-2.6.16.12/arch/parisc/kernel/traps.c 2006-05-01 15:14:26.000000000 -0400
4097 +++ linux-2.6.16.12/arch/parisc/kernel/traps.c 2006-05-01 20:17:33.000000000 -0400
4098 @@ -712,9 +712,7 @@ void handle_interruption(int code, struc
4100 down_read(¤t->mm->mmap_sem);
4101 vma = find_vma(current->mm,regs->iaoq[0]);
4102 - if (vma && (regs->iaoq[0] >= vma->vm_start)
4103 - && (vma->vm_flags & VM_EXEC)) {
4105 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
4106 fault_address = regs->iaoq[0];
4107 fault_space = regs->iasq[0];
4109 diff -urNp linux-2.6.16.12/arch/parisc/mm/fault.c linux-2.6.16.12/arch/parisc/mm/fault.c
4110 --- linux-2.6.16.12/arch/parisc/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
4111 +++ linux-2.6.16.12/arch/parisc/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
4113 #include <linux/sched.h>
4114 #include <linux/interrupt.h>
4115 #include <linux/module.h>
4116 +#include <linux/unistd.h>
4117 +#include <linux/binfmts.h>
4119 #include <asm/uaccess.h>
4120 #include <asm/traps.h>
4121 @@ -57,7 +59,7 @@ DEFINE_PER_CPU(struct exception_data, ex
4122 static unsigned long
4123 parisc_acctyp(unsigned long code, unsigned int inst)
4125 - if (code == 6 || code == 16)
4126 + if (code == 6 || code == 7 || code == 16)
4129 switch (inst & 0xf0000000) {
4130 @@ -143,6 +145,116 @@ parisc_acctyp(unsigned long code, unsign
4134 +#ifdef CONFIG_PAX_PAGEEXEC
4136 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
4138 + * returns 1 when task should be killed
4139 + * 2 when rt_sigreturn trampoline was detected
4140 + * 3 when unpatched PLT trampoline was detected
4142 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4145 +#ifdef CONFIG_PAX_EMUPLT
4148 + do { /* PaX: unpatched PLT emulation */
4149 + unsigned int bl, depwi;
4151 + err = get_user(bl, (unsigned int*)instruction_pointer(regs));
4152 + err |= get_user(depwi, (unsigned int*)(instruction_pointer(regs)+4));
4157 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
4158 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
4160 + err = get_user(ldw, (unsigned int*)addr);
4161 + err |= get_user(bv, (unsigned int*)(addr+4));
4162 + err |= get_user(ldw2, (unsigned int*)(addr+8));
4167 + if (ldw == 0x0E801096U &&
4168 + bv == 0xEAC0C000U &&
4169 + ldw2 == 0x0E881095U)
4171 + unsigned int resolver, map;
4173 + err = get_user(resolver, (unsigned int*)(instruction_pointer(regs)+8));
4174 + err |= get_user(map, (unsigned int*)(instruction_pointer(regs)+12));
4178 + regs->gr[20] = instruction_pointer(regs)+8;
4179 + regs->gr[21] = map;
4180 + regs->gr[22] = resolver;
4181 + regs->iaoq[0] = resolver | 3UL;
4182 + regs->iaoq[1] = regs->iaoq[0] + 4;
4189 +#ifdef CONFIG_PAX_EMUTRAMP
4191 +#ifndef CONFIG_PAX_EMUSIGRT
4192 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
4196 + do { /* PaX: rt_sigreturn emulation */
4197 + unsigned int ldi1, ldi2, bel, nop;
4199 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
4200 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
4201 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
4202 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
4207 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
4208 + ldi2 == 0x3414015AU &&
4209 + bel == 0xE4008200U &&
4210 + nop == 0x08000240U)
4212 + regs->gr[25] = (ldi1 & 2) >> 1;
4213 + regs->gr[20] = __NR_rt_sigreturn;
4214 + regs->gr[31] = regs->iaoq[1] + 16;
4215 + regs->sr[0] = regs->iasq[1];
4216 + regs->iaoq[0] = 0x100UL;
4217 + regs->iaoq[1] = regs->iaoq[0] + 4;
4218 + regs->iasq[0] = regs->sr[2];
4219 + regs->iasq[1] = regs->sr[2];
4228 +void pax_report_insns(void *pc, void *sp)
4232 + printk(KERN_ERR "PAX: bytes at PC: ");
4233 + for (i = 0; i < 5; i++) {
4235 + if (get_user(c, (unsigned int*)pc+i))
4236 + printk("???????? ");
4238 + printk("%08x ", c);
4244 void do_page_fault(struct pt_regs *regs, unsigned long code,
4245 unsigned long address)
4247 @@ -168,8 +280,33 @@ good_area:
4249 acc_type = parisc_acctyp(code,regs->iir);
4251 - if ((vma->vm_flags & acc_type) != acc_type)
4252 + if ((vma->vm_flags & acc_type) != acc_type) {
4254 +#ifdef CONFIG_PAX_PAGEEXEC
4255 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
4256 + (address & ~3UL) == instruction_pointer(regs))
4258 + up_read(&mm->mmap_sem);
4259 + switch(pax_handle_fetch_fault(regs)) {
4261 +#ifdef CONFIG_PAX_EMUPLT
4266 +#ifdef CONFIG_PAX_EMUTRAMP
4272 + pax_report_fault(regs, (void*)instruction_pointer(regs), (void*)regs->gr[30]);
4281 * If for any reason at all we couldn't handle the fault, make
4282 diff -urNp linux-2.6.16.12/arch/powerpc/mm/fault.c linux-2.6.16.12/arch/powerpc/mm/fault.c
4283 --- linux-2.6.16.12/arch/powerpc/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
4284 +++ linux-2.6.16.12/arch/powerpc/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
4286 #include <linux/highmem.h>
4287 #include <linux/module.h>
4288 #include <linux/kprobes.h>
4289 +#include <linux/binfmts.h>
4291 #include <asm/page.h>
4292 #include <asm/pgtable.h>
4293 @@ -105,6 +106,38 @@ static void do_dabr(struct pt_regs *regs
4295 #endif /* !(CONFIG_4xx || CONFIG_BOOKE)*/
4297 +#ifdef CONFIG_PAX_PAGEEXEC
4299 + * PaX: decide what to do with offenders (regs->nip = fault address)
4301 + * returns 1 when task should be killed
4303 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4306 +#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
4313 +void pax_report_insns(void *pc, void *sp)
4317 + printk(KERN_ERR "PAX: bytes at PC: ");
4318 + for (i = 0; i < 5; i++) {
4320 + if (get_user(c, (unsigned int*)pc+i))
4321 + printk("???????? ");
4323 + printk("%08x ", c);
4330 * For 600- and 800-family processors, the error_code parameter is DSISR
4331 * for a data fault, SRR1 for an instruction fault. For 400-family processors
4332 @@ -333,6 +366,19 @@ bad_area:
4333 bad_area_nosemaphore:
4334 /* User mode accesses cause a SIGSEGV */
4335 if (user_mode(regs)) {
4337 +#ifdef CONFIG_PAX_PAGEEXEC
4338 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4339 + if (is_exec && (error_code & DSISR_PROTFAULT)) {
4340 + switch (pax_handle_fetch_fault(regs)) {
4343 + pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[1]);
4349 _exception(SIGSEGV, regs, code, address);
4352 diff -urNp linux-2.6.16.12/arch/powerpc/mm/mmap.c linux-2.6.16.12/arch/powerpc/mm/mmap.c
4353 --- linux-2.6.16.12/arch/powerpc/mm/mmap.c 2006-05-01 15:14:26.000000000 -0400
4354 +++ linux-2.6.16.12/arch/powerpc/mm/mmap.c 2006-05-01 20:17:33.000000000 -0400
4355 @@ -76,10 +76,22 @@ void arch_pick_mmap_layout(struct mm_str
4357 if (mmap_is_legacy()) {
4358 mm->mmap_base = TASK_UNMAPPED_BASE;
4360 +#ifdef CONFIG_PAX_RANDMMAP
4361 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4362 + mm->mmap_base += mm->delta_mmap;
4365 mm->get_unmapped_area = arch_get_unmapped_area;
4366 mm->unmap_area = arch_unmap_area;
4368 mm->mmap_base = mmap_base();
4370 +#ifdef CONFIG_PAX_RANDMMAP
4371 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4372 + mm->mmap_base -= mm->delta_mmap;
4375 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4376 mm->unmap_area = arch_unmap_area_topdown;
4378 diff -urNp linux-2.6.16.12/arch/ppc/kernel/module.c linux-2.6.16.12/arch/ppc/kernel/module.c
4379 --- linux-2.6.16.12/arch/ppc/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
4380 +++ linux-2.6.16.12/arch/ppc/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
4381 @@ -164,8 +164,8 @@ static uint32_t do_plt_call(void *locati
4383 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
4384 /* Init, or core PLT? */
4385 - if (location >= mod->module_core
4386 - && location < mod->module_core + mod->core_size)
4387 + if (location >= mod->module_core_rx
4388 + && location < mod->module_core_rx + mod->core_size_rx)
4389 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
4391 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
4392 diff -urNp linux-2.6.16.12/arch/ppc/mm/fault.c linux-2.6.16.12/arch/ppc/mm/fault.c
4393 --- linux-2.6.16.12/arch/ppc/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
4394 +++ linux-2.6.16.12/arch/ppc/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
4396 #include <linux/interrupt.h>
4397 #include <linux/highmem.h>
4398 #include <linux/module.h>
4399 +#include <linux/slab.h>
4400 +#include <linux/pagemap.h>
4401 +#include <linux/compiler.h>
4402 +#include <linux/binfmts.h>
4403 +#include <linux/unistd.h>
4405 #include <asm/page.h>
4406 #include <asm/pgtable.h>
4407 @@ -51,6 +56,364 @@ unsigned long pte_misses; /* updated by
4408 unsigned long pte_errors; /* updated by do_page_fault() */
4409 unsigned int probingmem;
4411 +#ifdef CONFIG_PAX_EMUSIGRT
4412 +void pax_syscall_close(struct vm_area_struct * vma)
4414 + vma->vm_mm->call_syscall = 0UL;
4417 +static struct page* pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
4419 + struct page* page;
4420 + unsigned int *kaddr;
4422 + page = alloc_page(GFP_HIGHUSER);
4424 + return NOPAGE_OOM;
4426 + kaddr = kmap(page);
4427 + memset(kaddr, 0, PAGE_SIZE);
4428 + kaddr[0] = 0x44000002U; /* sc */
4429 + __flush_dcache_icache(kaddr);
4432 + *type = VM_FAULT_MAJOR;
4436 +static struct vm_operations_struct pax_vm_ops = {
4437 + .close = pax_syscall_close,
4438 + .nopage = pax_syscall_nopage,
4441 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4445 + memset(vma, 0, sizeof(*vma));
4446 + vma->vm_mm = current->mm;
4447 + vma->vm_start = addr;
4448 + vma->vm_end = addr + PAGE_SIZE;
4449 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4450 + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
4451 + vma->vm_ops = &pax_vm_ops;
4453 + ret = insert_vm_struct(current->mm, vma);
4457 + ++current->mm->total_vm;
4462 +#ifdef CONFIG_PAX_PAGEEXEC
4464 + * PaX: decide what to do with offenders (regs->nip = fault address)
4466 + * returns 1 when task should be killed
4467 + * 2 when patched GOT trampoline was detected
4468 + * 3 when patched PLT trampoline was detected
4469 + * 4 when unpatched PLT trampoline was detected
4470 + * 5 when sigreturn trampoline was detected
4471 + * 7 when rt_sigreturn trampoline was detected
4473 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4476 +#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
4480 +#ifdef CONFIG_PAX_EMUPLT
4481 + do { /* PaX: patched GOT emulation */
4482 + unsigned int blrl;
4484 + err = get_user(blrl, (unsigned int*)regs->nip);
4486 + if (!err && blrl == 0x4E800021U) {
4487 + unsigned long temp = regs->nip;
4489 + regs->nip = regs->link & 0xFFFFFFFCUL;
4490 + regs->link = temp + 4UL;
4495 + do { /* PaX: patched PLT emulation #1 */
4498 + err = get_user(b, (unsigned int *)regs->nip);
4500 + if (!err && (b & 0xFC000003U) == 0x48000000U) {
4501 + regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
4506 + do { /* PaX: unpatched PLT emulation #1 */
4507 + unsigned int li, b;
4509 + err = get_user(li, (unsigned int *)regs->nip);
4510 + err |= get_user(b, (unsigned int *)(regs->nip+4));
4512 + if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
4513 + unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
4514 + unsigned long addr = b | 0xFC000000UL;
4516 + addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
4517 + err = get_user(rlwinm, (unsigned int*)addr);
4518 + err |= get_user(add, (unsigned int*)(addr+4));
4519 + err |= get_user(li2, (unsigned int*)(addr+8));
4520 + err |= get_user(addis2, (unsigned int*)(addr+12));
4521 + err |= get_user(mtctr, (unsigned int*)(addr+16));
4522 + err |= get_user(li3, (unsigned int*)(addr+20));
4523 + err |= get_user(addis3, (unsigned int*)(addr+24));
4524 + err |= get_user(bctr, (unsigned int*)(addr+28));
4529 + if (rlwinm == 0x556C083CU &&
4530 + add == 0x7D6C5A14U &&
4531 + (li2 & 0xFFFF0000U) == 0x39800000U &&
4532 + (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
4533 + mtctr == 0x7D8903A6U &&
4534 + (li3 & 0xFFFF0000U) == 0x39800000U &&
4535 + (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
4536 + bctr == 0x4E800420U)
4538 + regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4539 + regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4540 + regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
4541 + regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4542 + regs->ctr += (addis2 & 0xFFFFU) << 16;
4543 + regs->nip = regs->ctr;
4550 + do { /* PaX: unpatched PLT emulation #2 */
4551 + unsigned int lis, lwzu, b, bctr;
4553 + err = get_user(lis, (unsigned int *)regs->nip);
4554 + err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
4555 + err |= get_user(b, (unsigned int *)(regs->nip+8));
4556 + err |= get_user(bctr, (unsigned int *)(regs->nip+12));
4561 + if ((lis & 0xFFFF0000U) == 0x39600000U &&
4562 + (lwzu & 0xU) == 0xU &&
4563 + (b & 0xFC000003U) == 0x48000000U &&
4564 + bctr == 0x4E800420U)
4566 + unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
4567 + unsigned long addr = b | 0xFC000000UL;
4569 + addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
4570 + err = get_user(addis, (unsigned int*)addr);
4571 + err |= get_user(addi, (unsigned int*)(addr+4));
4572 + err |= get_user(rlwinm, (unsigned int*)(addr+8));
4573 + err |= get_user(add, (unsigned int*)(addr+12));
4574 + err |= get_user(li2, (unsigned int*)(addr+16));
4575 + err |= get_user(addis2, (unsigned int*)(addr+20));
4576 + err |= get_user(mtctr, (unsigned int*)(addr+24));
4577 + err |= get_user(li3, (unsigned int*)(addr+28));
4578 + err |= get_user(addis3, (unsigned int*)(addr+32));
4579 + err |= get_user(bctr, (unsigned int*)(addr+36));
4584 + if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
4585 + (addi & 0xFFFF0000U) == 0x396B0000U &&
4586 + rlwinm == 0x556C083CU &&
4587 + add == 0x7D6C5A14U &&
4588 + (li2 & 0xFFFF0000U) == 0x39800000U &&
4589 + (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
4590 + mtctr == 0x7D8903A6U &&
4591 + (li3 & 0xFFFF0000U) == 0x39800000U &&
4592 + (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
4593 + bctr == 0x4E800420U)
4595 + regs->gpr[PT_R11] =
4596 + regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4597 + regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4598 + regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
4599 + regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4600 + regs->ctr += (addis2 & 0xFFFFU) << 16;
4601 + regs->nip = regs->ctr;
4608 + do { /* PaX: unpatched PLT emulation #3 */
4609 + unsigned int li, b;
4611 + err = get_user(li, (unsigned int *)regs->nip);
4612 + err |= get_user(b, (unsigned int *)(regs->nip+4));
4614 + if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
4615 + unsigned int addis, lwz, mtctr, bctr;
4616 + unsigned long addr = b | 0xFC000000UL;
4618 + addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
4619 + err = get_user(addis, (unsigned int*)addr);
4620 + err |= get_user(lwz, (unsigned int*)(addr+4));
4621 + err |= get_user(mtctr, (unsigned int*)(addr+8));
4622 + err |= get_user(bctr, (unsigned int*)(addr+12));
4627 + if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
4628 + (lwz & 0xFFFF0000U) == 0x816B0000U &&
4629 + mtctr == 0x7D6903A6U &&
4630 + bctr == 0x4E800420U)
4634 + addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4635 + addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
4637 + err = get_user(r11, (unsigned int*)addr);
4641 + regs->gpr[PT_R11] = r11;
4650 +#ifdef CONFIG_PAX_EMUSIGRT
4651 + do { /* PaX: sigreturn emulation */
4652 + unsigned int li, sc;
4654 + err = get_user(li, (unsigned int *)regs->nip);
4655 + err |= get_user(sc, (unsigned int *)(regs->nip+4));
4657 + if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
4658 + struct vm_area_struct *vma;
4659 + unsigned long call_syscall;
4661 + down_read(¤t->mm->mmap_sem);
4662 + call_syscall = current->mm->call_syscall;
4663 + up_read(¤t->mm->mmap_sem);
4664 + if (likely(call_syscall))
4667 + vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
4669 + down_write(¤t->mm->mmap_sem);
4670 + if (current->mm->call_syscall) {
4671 + call_syscall = current->mm->call_syscall;
4672 + up_write(¤t->mm->mmap_sem);
4673 + if (vma) kmem_cache_free(vm_area_cachep, vma);
4677 + call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4678 + if (!vma || (call_syscall & ~PAGE_MASK)) {
4679 + up_write(¤t->mm->mmap_sem);
4680 + if (vma) kmem_cache_free(vm_area_cachep, vma);
4684 + if (pax_insert_vma(vma, call_syscall)) {
4685 + up_write(¤t->mm->mmap_sem);
4686 + kmem_cache_free(vm_area_cachep, vma);
4690 + current->mm->call_syscall = call_syscall;
4691 + up_write(¤t->mm->mmap_sem);
4694 + regs->gpr[PT_R0] = __NR_sigreturn;
4695 + regs->nip = call_syscall;
4700 + do { /* PaX: rt_sigreturn emulation */
4701 + unsigned int li, sc;
4703 + err = get_user(li, (unsigned int *)regs->nip);
4704 + err |= get_user(sc, (unsigned int *)(regs->nip+4));
4706 + if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
4707 + struct vm_area_struct *vma;
4708 + unsigned int call_syscall;
4710 + down_read(¤t->mm->mmap_sem);
4711 + call_syscall = current->mm->call_syscall;
4712 + up_read(¤t->mm->mmap_sem);
4713 + if (likely(call_syscall))
4716 + vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
4718 + down_write(¤t->mm->mmap_sem);
4719 + if (current->mm->call_syscall) {
4720 + call_syscall = current->mm->call_syscall;
4721 + up_write(¤t->mm->mmap_sem);
4722 + if (vma) kmem_cache_free(vm_area_cachep, vma);
4726 + call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4727 + if (!vma || (call_syscall & ~PAGE_MASK)) {
4728 + up_write(¤t->mm->mmap_sem);
4729 + if (vma) kmem_cache_free(vm_area_cachep, vma);
4733 + if (pax_insert_vma(vma, call_syscall)) {
4734 + up_write(¤t->mm->mmap_sem);
4735 + kmem_cache_free(vm_area_cachep, vma);
4739 + current->mm->call_syscall = call_syscall;
4740 + up_write(¤t->mm->mmap_sem);
4743 + regs->gpr[PT_R0] = __NR_rt_sigreturn;
4744 + regs->nip = call_syscall;
4753 +void pax_report_insns(void *pc, void *sp)
4757 + printk(KERN_ERR "PAX: bytes at PC: ");
4758 + for (i = 0; i < 5; i++) {
4760 + if (get_user(c, (unsigned int*)pc+i))
4761 + printk("???????? ");
4763 + printk("%08x ", c);
4770 * Check whether the instruction at regs->nip is a store using
4771 * an update addressing form which will update r1.
4772 @@ -111,7 +474,7 @@ int do_page_fault(struct pt_regs *regs,
4773 * indicate errors in DSISR but can validly be set in SRR1.
4775 if (TRAP(regs) == 0x400)
4776 - error_code &= 0x48200000;
4777 + error_code &= 0x58200000;
4779 is_write = error_code & 0x02000000;
4780 #endif /* CONFIG_4xx || CONFIG_BOOKE */
4781 @@ -205,15 +568,14 @@ good_area:
4782 } else if (TRAP(regs) == 0x400) {
4787 /* It would be nice to actually enforce the VM execute
4788 permission on CPUs which can do so, but far too
4789 much stuff in userspace doesn't get the permissions
4790 right, so we let any page be executed for now. */
4791 if (! (vma->vm_flags & VM_EXEC))
4796 /* Since 4xx/Book-E supports per-page execute permission,
4797 * we lazily flush dcache to icache. */
4799 @@ -233,6 +595,7 @@ good_area:
4806 /* protection fault */
4807 @@ -278,6 +641,33 @@ bad_area:
4809 /* User mode accesses cause a SIGSEGV */
4810 if (user_mode(regs)) {
4812 +#ifdef CONFIG_PAX_PAGEEXEC
4813 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4814 + if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
4815 + switch (pax_handle_fetch_fault(regs)) {
4817 +#ifdef CONFIG_PAX_EMUPLT
4824 +#ifdef CONFIG_PAX_EMUSIGRT
4832 + pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[1]);
4838 _exception(SIGSEGV, regs, code, address);
4841 diff -urNp linux-2.6.16.12/arch/s390/kernel/module.c linux-2.6.16.12/arch/s390/kernel/module.c
4842 --- linux-2.6.16.12/arch/s390/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
4843 +++ linux-2.6.16.12/arch/s390/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
4844 @@ -164,11 +164,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4846 /* Increase core size by size of got & plt and set start
4847 offsets for got and plt. */
4848 - me->core_size = ALIGN(me->core_size, 4);
4849 - me->arch.got_offset = me->core_size;
4850 - me->core_size += me->arch.got_size;
4851 - me->arch.plt_offset = me->core_size;
4852 - me->core_size += me->arch.plt_size;
4853 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4854 + me->arch.got_offset = me->core_size_rw;
4855 + me->core_size_rw += me->arch.got_size;
4856 + me->arch.plt_offset = me->core_size_rx;
4857 + me->core_size_rx += me->arch.plt_size;
4861 @@ -254,7 +254,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4862 if (info->got_initialized == 0) {
4865 - gotent = me->module_core + me->arch.got_offset +
4866 + gotent = me->module_core_rw + me->arch.got_offset +
4869 info->got_initialized = 1;
4870 @@ -278,7 +278,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4871 else if (r_type == R_390_GOTENT ||
4872 r_type == R_390_GOTPLTENT)
4873 *(unsigned int *) loc =
4874 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4875 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4876 else if (r_type == R_390_GOT64 ||
4877 r_type == R_390_GOTPLT64)
4878 *(unsigned long *) loc = val;
4879 @@ -292,7 +292,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4880 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4881 if (info->plt_initialized == 0) {
4883 - ip = me->module_core + me->arch.plt_offset +
4884 + ip = me->module_core_rx + me->arch.plt_offset +
4886 #ifndef CONFIG_64BIT
4887 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4888 @@ -314,7 +314,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4889 val = me->arch.plt_offset - me->arch.got_offset +
4890 info->plt_offset + rela->r_addend;
4892 - val = (Elf_Addr) me->module_core +
4893 + val = (Elf_Addr) me->module_core_rx +
4894 me->arch.plt_offset + info->plt_offset +
4895 rela->r_addend - loc;
4896 if (r_type == R_390_PLT16DBL)
4897 @@ -334,7 +334,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4898 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4899 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4900 val = val + rela->r_addend -
4901 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4902 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4903 if (r_type == R_390_GOTOFF16)
4904 *(unsigned short *) loc = val;
4905 else if (r_type == R_390_GOTOFF32)
4906 @@ -344,7 +344,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4908 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4909 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4910 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4911 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4912 rela->r_addend - loc;
4913 if (r_type == R_390_GOTPC)
4914 *(unsigned int *) loc = val;
4915 diff -urNp linux-2.6.16.12/arch/sparc/kernel/ptrace.c linux-2.6.16.12/arch/sparc/kernel/ptrace.c
4916 --- linux-2.6.16.12/arch/sparc/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
4917 +++ linux-2.6.16.12/arch/sparc/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
4919 #include <linux/smp_lock.h>
4920 #include <linux/security.h>
4921 #include <linux/signal.h>
4922 +#include <linux/grsecurity.h>
4924 #include <asm/pgtable.h>
4925 #include <asm/system.h>
4926 @@ -304,6 +305,11 @@ asmlinkage void do_ptrace(struct pt_regs
4930 + if (gr_handle_ptrace(child, request)) {
4931 + pt_error_return(regs, EPERM);
4935 if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
4936 || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
4937 if (ptrace_attach(child)) {
4938 diff -urNp linux-2.6.16.12/arch/sparc/kernel/sys_sparc.c linux-2.6.16.12/arch/sparc/kernel/sys_sparc.c
4939 --- linux-2.6.16.12/arch/sparc/kernel/sys_sparc.c 2006-05-01 15:14:26.000000000 -0400
4940 +++ linux-2.6.16.12/arch/sparc/kernel/sys_sparc.c 2006-05-01 20:17:33.000000000 -0400
4941 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4942 if (ARCH_SUN4C_SUN4 && len > 0x20000000)
4945 - addr = TASK_UNMAPPED_BASE;
4946 + addr = current->mm->mmap_base;
4948 if (flags & MAP_SHARED)
4949 addr = COLOUR_ALIGN(addr);
4950 diff -urNp linux-2.6.16.12/arch/sparc/Makefile linux-2.6.16.12/arch/sparc/Makefile
4951 --- linux-2.6.16.12/arch/sparc/Makefile 2006-05-01 15:14:26.000000000 -0400
4952 +++ linux-2.6.16.12/arch/sparc/Makefile 2006-05-01 20:17:33.000000000 -0400
4953 @@ -34,7 +34,7 @@ libs-y += arch/sparc/prom/ arch/sparc/li
4954 # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
4955 INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
4957 -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4958 +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4959 CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
4960 DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
4961 NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
4962 diff -urNp linux-2.6.16.12/arch/sparc/mm/fault.c linux-2.6.16.12/arch/sparc/mm/fault.c
4963 --- linux-2.6.16.12/arch/sparc/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
4964 +++ linux-2.6.16.12/arch/sparc/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
4966 #include <linux/smp_lock.h>
4967 #include <linux/interrupt.h>
4968 #include <linux/module.h>
4969 +#include <linux/slab.h>
4970 +#include <linux/pagemap.h>
4971 +#include <linux/compiler.h>
4972 +#include <linux/binfmts.h>
4974 #include <asm/system.h>
4975 #include <asm/page.h>
4976 @@ -217,6 +221,252 @@ static unsigned long compute_si_addr(str
4977 return safe_compute_effective_address(regs, insn);
4980 +#ifdef CONFIG_PAX_PAGEEXEC
4981 +void pax_emuplt_close(struct vm_area_struct * vma)
4983 + vma->vm_mm->call_dl_resolve = 0UL;
4986 +static struct page* pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
4988 + struct page* page;
4989 + unsigned int *kaddr;
4991 + page = alloc_page(GFP_HIGHUSER);
4993 + return NOPAGE_OOM;
4995 + kaddr = kmap(page);
4996 + memset(kaddr, 0, PAGE_SIZE);
4997 + kaddr[0] = 0x9DE3BFA8U; /* save */
4998 + flush_dcache_page(page);
5001 + *type = VM_FAULT_MAJOR;
5006 +static struct vm_operations_struct pax_vm_ops = {
5007 + .close = pax_emuplt_close,
5008 + .nopage = pax_emuplt_nopage,
5011 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5015 + memset(vma, 0, sizeof(*vma));
5016 + vma->vm_mm = current->mm;
5017 + vma->vm_start = addr;
5018 + vma->vm_end = addr + PAGE_SIZE;
5019 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5020 + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
5021 + vma->vm_ops = &pax_vm_ops;
5023 + ret = insert_vm_struct(current->mm, vma);
5027 + ++current->mm->total_vm;
5032 + * PaX: decide what to do with offenders (regs->pc = fault address)
5034 + * returns 1 when task should be killed
5035 + * 2 when patched PLT trampoline was detected
5036 + * 3 when unpatched PLT trampoline was detected
5038 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5041 +#ifdef CONFIG_PAX_EMUPLT
5044 + do { /* PaX: patched PLT emulation #1 */
5045 + unsigned int sethi1, sethi2, jmpl;
5047 + err = get_user(sethi1, (unsigned int*)regs->pc);
5048 + err |= get_user(sethi2, (unsigned int*)(regs->pc+4));
5049 + err |= get_user(jmpl, (unsigned int*)(regs->pc+8));
5054 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5055 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5056 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5058 + unsigned int addr;
5060 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5061 + addr = regs->u_regs[UREG_G1];
5062 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5064 + regs->npc = addr+4;
5069 + { /* PaX: patched PLT emulation #2 */
5072 + err = get_user(ba, (unsigned int*)regs->pc);
5074 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5075 + unsigned int addr;
5077 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5079 + regs->npc = addr+4;
5084 + do { /* PaX: patched PLT emulation #3 */
5085 + unsigned int sethi, jmpl, nop;
5087 + err = get_user(sethi, (unsigned int*)regs->pc);
5088 + err |= get_user(jmpl, (unsigned int*)(regs->pc+4));
5089 + err |= get_user(nop, (unsigned int*)(regs->pc+8));
5094 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5095 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5096 + nop == 0x01000000U)
5098 + unsigned int addr;
5100 + addr = (sethi & 0x003FFFFFU) << 10;
5101 + regs->u_regs[UREG_G1] = addr;
5102 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5104 + regs->npc = addr+4;
5109 + do { /* PaX: unpatched PLT emulation step 1 */
5110 + unsigned int sethi, ba, nop;
5112 + err = get_user(sethi, (unsigned int*)regs->pc);
5113 + err |= get_user(ba, (unsigned int*)(regs->pc+4));
5114 + err |= get_user(nop, (unsigned int*)(regs->pc+8));
5119 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5120 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5121 + nop == 0x01000000U)
5123 + unsigned int addr, save, call;
5125 + if ((ba & 0xFFC00000U) == 0x30800000U)
5126 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5128 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5130 + err = get_user(save, (unsigned int*)addr);
5131 + err |= get_user(call, (unsigned int*)(addr+4));
5132 + err |= get_user(nop, (unsigned int*)(addr+8));
5136 + if (save == 0x9DE3BFA8U &&
5137 + (call & 0xC0000000U) == 0x40000000U &&
5138 + nop == 0x01000000U)
5140 + struct vm_area_struct *vma;
5141 + unsigned long call_dl_resolve;
5143 + down_read(¤t->mm->mmap_sem);
5144 + call_dl_resolve = current->mm->call_dl_resolve;
5145 + up_read(¤t->mm->mmap_sem);
5146 + if (likely(call_dl_resolve))
5149 + vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
5151 + down_write(¤t->mm->mmap_sem);
5152 + if (current->mm->call_dl_resolve) {
5153 + call_dl_resolve = current->mm->call_dl_resolve;
5154 + up_write(¤t->mm->mmap_sem);
5155 + if (vma) kmem_cache_free(vm_area_cachep, vma);
5159 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5160 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5161 + up_write(¤t->mm->mmap_sem);
5162 + if (vma) kmem_cache_free(vm_area_cachep, vma);
5166 + if (pax_insert_vma(vma, call_dl_resolve)) {
5167 + up_write(¤t->mm->mmap_sem);
5168 + kmem_cache_free(vm_area_cachep, vma);
5172 + current->mm->call_dl_resolve = call_dl_resolve;
5173 + up_write(¤t->mm->mmap_sem);
5176 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5177 + regs->pc = call_dl_resolve;
5178 + regs->npc = addr+4;
5184 + do { /* PaX: unpatched PLT emulation step 2 */
5185 + unsigned int save, call, nop;
5187 + err = get_user(save, (unsigned int*)(regs->pc-4));
5188 + err |= get_user(call, (unsigned int*)regs->pc);
5189 + err |= get_user(nop, (unsigned int*)(regs->pc+4));
5193 + if (save == 0x9DE3BFA8U &&
5194 + (call & 0xC0000000U) == 0x40000000U &&
5195 + nop == 0x01000000U)
5197 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5199 + regs->u_regs[UREG_RETPC] = regs->pc;
5200 + regs->pc = dl_resolve;
5201 + regs->npc = dl_resolve+4;
5210 +void pax_report_insns(void *pc, void *sp)
5214 + printk(KERN_ERR "PAX: bytes at PC: ");
5215 + for (i = 0; i < 5; i++) {
5217 + if (get_user(c, (unsigned int*)pc+i))
5218 + printk("???????? ");
5220 + printk("%08x ", c);
5226 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5227 unsigned long address)
5229 @@ -280,6 +530,24 @@ good_area:
5230 if(!(vma->vm_flags & VM_WRITE))
5234 +#ifdef CONFIG_PAX_PAGEEXEC
5235 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5236 + up_read(&mm->mmap_sem);
5237 + switch (pax_handle_fetch_fault(regs)) {
5239 +#ifdef CONFIG_PAX_EMUPLT
5246 + pax_report_fault(regs, (void*)regs->pc, (void*)regs->u_regs[UREG_FP]);
5251 /* Allow reads even for write-only mappings */
5252 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5254 diff -urNp linux-2.6.16.12/arch/sparc/mm/init.c linux-2.6.16.12/arch/sparc/mm/init.c
5255 --- linux-2.6.16.12/arch/sparc/mm/init.c 2006-05-01 15:14:26.000000000 -0400
5256 +++ linux-2.6.16.12/arch/sparc/mm/init.c 2006-05-01 20:17:33.000000000 -0400
5257 @@ -333,17 +333,17 @@ void __init paging_init(void)
5259 /* Initialize the protection map with non-constant, MMU dependent values. */
5260 protection_map[0] = PAGE_NONE;
5261 - protection_map[1] = PAGE_READONLY;
5262 - protection_map[2] = PAGE_COPY;
5263 - protection_map[3] = PAGE_COPY;
5264 + protection_map[1] = PAGE_READONLY_NOEXEC;
5265 + protection_map[2] = PAGE_COPY_NOEXEC;
5266 + protection_map[3] = PAGE_COPY_NOEXEC;
5267 protection_map[4] = PAGE_READONLY;
5268 protection_map[5] = PAGE_READONLY;
5269 protection_map[6] = PAGE_COPY;
5270 protection_map[7] = PAGE_COPY;
5271 protection_map[8] = PAGE_NONE;
5272 - protection_map[9] = PAGE_READONLY;
5273 - protection_map[10] = PAGE_SHARED;
5274 - protection_map[11] = PAGE_SHARED;
5275 + protection_map[9] = PAGE_READONLY_NOEXEC;
5276 + protection_map[10] = PAGE_SHARED_NOEXEC;
5277 + protection_map[11] = PAGE_SHARED_NOEXEC;
5278 protection_map[12] = PAGE_READONLY;
5279 protection_map[13] = PAGE_READONLY;
5280 protection_map[14] = PAGE_SHARED;
5281 diff -urNp linux-2.6.16.12/arch/sparc/mm/srmmu.c linux-2.6.16.12/arch/sparc/mm/srmmu.c
5282 --- linux-2.6.16.12/arch/sparc/mm/srmmu.c 2006-05-01 15:14:26.000000000 -0400
5283 +++ linux-2.6.16.12/arch/sparc/mm/srmmu.c 2006-05-01 20:17:33.000000000 -0400
5284 @@ -2148,6 +2148,13 @@ void __init ld_mmu_srmmu(void)
5285 BTFIXUPSET_INT(page_shared, pgprot_val(SRMMU_PAGE_SHARED));
5286 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5287 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5289 +#ifdef CONFIG_PAX_PAGEEXEC
5290 + BTFIXUPSET_INT(page_shared_noexec, pgprot_val(SRMMU_PAGE_SHARED_NOEXEC));
5291 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5292 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5295 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5296 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5297 pg_iobits = SRMMU_VALID | SRMMU_WRITE | SRMMU_REF;
5298 diff -urNp linux-2.6.16.12/arch/sparc64/kernel/ptrace.c linux-2.6.16.12/arch/sparc64/kernel/ptrace.c
5299 --- linux-2.6.16.12/arch/sparc64/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
5300 +++ linux-2.6.16.12/arch/sparc64/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
5302 #include <linux/seccomp.h>
5303 #include <linux/audit.h>
5304 #include <linux/signal.h>
5305 +#include <linux/grsecurity.h>
5307 #include <asm/asi.h>
5308 #include <asm/pgtable.h>
5309 @@ -214,6 +215,11 @@ asmlinkage void do_ptrace(struct pt_regs
5313 + if (gr_handle_ptrace(child, (long)request)) {
5314 + pt_error_return(regs, EPERM);
5318 if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
5319 || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
5320 if (ptrace_attach(child)) {
5321 diff -urNp linux-2.6.16.12/arch/sparc64/kernel/sys_sparc.c linux-2.6.16.12/arch/sparc64/kernel/sys_sparc.c
5322 --- linux-2.6.16.12/arch/sparc64/kernel/sys_sparc.c 2006-05-01 15:14:26.000000000 -0400
5323 +++ linux-2.6.16.12/arch/sparc64/kernel/sys_sparc.c 2006-05-01 20:17:33.000000000 -0400
5324 @@ -73,6 +73,10 @@ unsigned long arch_get_unmapped_area(str
5325 if (filp || (flags & MAP_SHARED))
5328 +#ifdef CONFIG_PAX_RANDMMAP
5329 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
5334 addr = COLOUR_ALIGN(addr, pgoff);
5335 @@ -87,7 +91,7 @@ unsigned long arch_get_unmapped_area(str
5337 if (len <= mm->cached_hole_size) {
5338 mm->cached_hole_size = 0;
5339 - mm->free_area_cache = TASK_UNMAPPED_BASE;
5340 + mm->free_area_cache = mm->mmap_base;
5342 start_addr = addr = mm->free_area_cache;
5344 @@ -106,8 +110,8 @@ full_search:
5345 vma = find_vma(mm, PAGE_OFFSET);
5347 if (task_size < addr) {
5348 - if (start_addr != TASK_UNMAPPED_BASE) {
5349 - start_addr = addr = TASK_UNMAPPED_BASE;
5350 + if (start_addr != mm->mmap_base) {
5351 + start_addr = addr = mm->mmap_base;
5352 mm->cached_hole_size = 0;
5355 diff -urNp linux-2.6.16.12/arch/sparc64/mm/fault.c linux-2.6.16.12/arch/sparc64/mm/fault.c
5356 --- linux-2.6.16.12/arch/sparc64/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
5357 +++ linux-2.6.16.12/arch/sparc64/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
5359 #include <linux/init.h>
5360 #include <linux/interrupt.h>
5361 #include <linux/kprobes.h>
5362 +#include <linux/slab.h>
5363 +#include <linux/pagemap.h>
5364 +#include <linux/compiler.h>
5365 +#include <linux/binfmts.h>
5367 #include <asm/page.h>
5368 #include <asm/pgtable.h>
5369 @@ -251,6 +255,369 @@ cannot_handle:
5370 unhandled_fault (address, current, regs);
5373 +#ifdef CONFIG_PAX_PAGEEXEC
5374 +#ifdef CONFIG_PAX_EMUPLT
5375 +static void pax_emuplt_close(struct vm_area_struct * vma)
5377 + vma->vm_mm->call_dl_resolve = 0UL;
5380 +static struct page* pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
5382 + struct page* page;
5383 + unsigned int *kaddr;
5385 + page = alloc_page(GFP_HIGHUSER);
5387 + return NOPAGE_OOM;
5389 + kaddr = kmap(page);
5390 + memset(kaddr, 0, PAGE_SIZE);
5391 + kaddr[0] = 0x9DE3BFA8U; /* save */
5392 + flush_dcache_page(page);
5395 + *type = VM_FAULT_MAJOR;
5399 +static struct vm_operations_struct pax_vm_ops = {
5400 + .close = pax_emuplt_close,
5401 + .nopage = pax_emuplt_nopage,
5404 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5408 + memset(vma, 0, sizeof(*vma));
5409 + vma->vm_mm = current->mm;
5410 + vma->vm_start = addr;
5411 + vma->vm_end = addr + PAGE_SIZE;
5412 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5413 + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
5414 + vma->vm_ops = &pax_vm_ops;
5416 + ret = insert_vm_struct(current->mm, vma);
5420 + ++current->mm->total_vm;
5426 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5428 + * returns 1 when task should be killed
5429 + * 2 when patched PLT trampoline was detected
5430 + * 3 when unpatched PLT trampoline was detected
5432 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5435 +#ifdef CONFIG_PAX_EMUPLT
5438 + do { /* PaX: patched PLT emulation #1 */
5439 + unsigned int sethi1, sethi2, jmpl;
5441 + err = get_user(sethi1, (unsigned int*)regs->tpc);
5442 + err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
5443 + err |= get_user(jmpl, (unsigned int*)(regs->tpc+8));
5448 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5449 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5450 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5452 + unsigned long addr;
5454 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5455 + addr = regs->u_regs[UREG_G1];
5456 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5458 + regs->tnpc = addr+4;
5463 + { /* PaX: patched PLT emulation #2 */
5466 + err = get_user(ba, (unsigned int*)regs->tpc);
5468 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5469 + unsigned long addr;
5471 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5473 + regs->tnpc = addr+4;
5478 + do { /* PaX: patched PLT emulation #3 */
5479 + unsigned int sethi, jmpl, nop;
5481 + err = get_user(sethi, (unsigned int*)regs->tpc);
5482 + err |= get_user(jmpl, (unsigned int*)(regs->tpc+4));
5483 + err |= get_user(nop, (unsigned int*)(regs->tpc+8));
5488 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5489 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5490 + nop == 0x01000000U)
5492 + unsigned long addr;
5494 + addr = (sethi & 0x003FFFFFU) << 10;
5495 + regs->u_regs[UREG_G1] = addr;
5496 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5498 + regs->tnpc = addr+4;
5503 + do { /* PaX: patched PLT emulation #4 */
5504 + unsigned int mov1, call, mov2;
5506 + err = get_user(mov1, (unsigned int*)regs->tpc);
5507 + err |= get_user(call, (unsigned int*)(regs->tpc+4));
5508 + err |= get_user(mov2, (unsigned int*)(regs->tpc+8));
5513 + if (mov1 == 0x8210000FU &&
5514 + (call & 0xC0000000U) == 0x40000000U &&
5515 + mov2 == 0x9E100001U)
5517 + unsigned long addr;
5519 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5520 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5522 + regs->tnpc = addr+4;
5527 + do { /* PaX: patched PLT emulation #5 */
5528 + unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5530 + err = get_user(sethi1, (unsigned int*)regs->tpc);
5531 + err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
5532 + err |= get_user(or1, (unsigned int*)(regs->tpc+8));
5533 + err |= get_user(or2, (unsigned int*)(regs->tpc+12));
5534 + err |= get_user(sllx, (unsigned int*)(regs->tpc+16));
5535 + err |= get_user(jmpl, (unsigned int*)(regs->tpc+20));
5536 + err |= get_user(nop, (unsigned int*)(regs->tpc+24));
5541 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5542 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5543 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5544 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5545 + sllx == 0x83287020 &&
5546 + jmpl == 0x81C04005U &&
5547 + nop == 0x01000000U)
5549 + unsigned long addr;
5551 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5552 + regs->u_regs[UREG_G1] <<= 32;
5553 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5554 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5556 + regs->tnpc = addr+4;
5561 + do { /* PaX: patched PLT emulation #6 */
5562 + unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
5564 + err = get_user(sethi1, (unsigned int*)regs->tpc);
5565 + err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
5566 + err |= get_user(sllx, (unsigned int*)(regs->tpc+8));
5567 + err |= get_user(or, (unsigned int*)(regs->tpc+12));
5568 + err |= get_user(jmpl, (unsigned int*)(regs->tpc+16));
5569 + err |= get_user(nop, (unsigned int*)(regs->tpc+20));
5574 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5575 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5576 + sllx == 0x83287020 &&
5577 + (or & 0xFFFFE000U) == 0x8A116000U &&
5578 + jmpl == 0x81C04005U &&
5579 + nop == 0x01000000U)
5581 + unsigned long addr;
5583 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5584 + regs->u_regs[UREG_G1] <<= 32;
5585 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5586 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5588 + regs->tnpc = addr+4;
5593 + do { /* PaX: patched PLT emulation #7 */
5594 + unsigned int sethi, ba, nop;
5596 + err = get_user(sethi, (unsigned int*)regs->tpc);
5597 + err |= get_user(ba, (unsigned int*)(regs->tpc+4));
5598 + err |= get_user(nop, (unsigned int*)(regs->tpc+8));
5603 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5604 + (ba & 0xFFF00000U) == 0x30600000U &&
5605 + nop == 0x01000000U)
5607 + unsigned long addr;
5609 + addr = (sethi & 0x003FFFFFU) << 10;
5610 + regs->u_regs[UREG_G1] = addr;
5611 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5613 + regs->tnpc = addr+4;
5618 + do { /* PaX: unpatched PLT emulation step 1 */
5619 + unsigned int sethi, ba, nop;
5621 + err = get_user(sethi, (unsigned int*)regs->tpc);
5622 + err |= get_user(ba, (unsigned int*)(regs->tpc+4));
5623 + err |= get_user(nop, (unsigned int*)(regs->tpc+8));
5628 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5629 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5630 + nop == 0x01000000U)
5632 + unsigned long addr;
5633 + unsigned int save, call;
5635 + if ((ba & 0xFFC00000U) == 0x30800000U)
5636 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5638 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5640 + err = get_user(save, (unsigned int*)addr);
5641 + err |= get_user(call, (unsigned int*)(addr+4));
5642 + err |= get_user(nop, (unsigned int*)(addr+8));
5646 + if (save == 0x9DE3BFA8U &&
5647 + (call & 0xC0000000U) == 0x40000000U &&
5648 + nop == 0x01000000U)
5650 + struct vm_area_struct *vma;
5651 + unsigned long call_dl_resolve;
5653 + down_read(¤t->mm->mmap_sem);
5654 + call_dl_resolve = current->mm->call_dl_resolve;
5655 + up_read(¤t->mm->mmap_sem);
5656 + if (likely(call_dl_resolve))
5659 + vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
5661 + down_write(¤t->mm->mmap_sem);
5662 + if (current->mm->call_dl_resolve) {
5663 + call_dl_resolve = current->mm->call_dl_resolve;
5664 + up_write(¤t->mm->mmap_sem);
5665 + if (vma) kmem_cache_free(vm_area_cachep, vma);
5669 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5670 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5671 + up_write(¤t->mm->mmap_sem);
5672 + if (vma) kmem_cache_free(vm_area_cachep, vma);
5676 + if (pax_insert_vma(vma, call_dl_resolve)) {
5677 + up_write(¤t->mm->mmap_sem);
5678 + kmem_cache_free(vm_area_cachep, vma);
5682 + current->mm->call_dl_resolve = call_dl_resolve;
5683 + up_write(¤t->mm->mmap_sem);
5686 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5687 + regs->tpc = call_dl_resolve;
5688 + regs->tnpc = addr+4;
5694 + do { /* PaX: unpatched PLT emulation step 2 */
5695 + unsigned int save, call, nop;
5697 + err = get_user(save, (unsigned int*)(regs->tpc-4));
5698 + err |= get_user(call, (unsigned int*)regs->tpc);
5699 + err |= get_user(nop, (unsigned int*)(regs->tpc+4));
5703 + if (save == 0x9DE3BFA8U &&
5704 + (call & 0xC0000000U) == 0x40000000U &&
5705 + nop == 0x01000000U)
5707 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5709 + regs->u_regs[UREG_RETPC] = regs->tpc;
5710 + regs->tpc = dl_resolve;
5711 + regs->tnpc = dl_resolve+4;
5720 +void pax_report_insns(void *pc, void *sp)
5724 + printk(KERN_ERR "PAX: bytes at PC: ");
5725 + for (i = 0; i < 5; i++) {
5727 + if (get_user(c, (unsigned int*)pc+i))
5728 + printk("???????? ");
5730 + printk("%08x ", c);
5736 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5738 struct mm_struct *mm = current->mm;
5739 @@ -293,8 +660,10 @@ asmlinkage void __kprobes do_sparc64_fau
5742 if (test_thread_flag(TIF_32BIT)) {
5743 - if (!(regs->tstate & TSTATE_PRIV))
5744 + if (!(regs->tstate & TSTATE_PRIV)) {
5745 regs->tpc &= 0xffffffff;
5746 + regs->tnpc &= 0xffffffff;
5748 address &= 0xffffffff;
5751 @@ -311,6 +680,29 @@ asmlinkage void __kprobes do_sparc64_fau
5755 +#ifdef CONFIG_PAX_PAGEEXEC
5756 + /* PaX: detect ITLB misses on non-exec pages */
5757 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5758 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5760 + if (address != regs->tpc)
5763 + up_read(&mm->mmap_sem);
5764 + switch (pax_handle_fetch_fault(regs)) {
5766 +#ifdef CONFIG_PAX_EMUPLT
5773 + pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
5778 /* Pure DTLB misses do not tell us whether the fault causing
5779 * load/store/atomic was a write or not, it only says that there
5780 * was no match. So in such a case we (carefully) read the
5781 diff -urNp linux-2.6.16.12/arch/v850/kernel/module.c linux-2.6.16.12/arch/v850/kernel/module.c
5782 --- linux-2.6.16.12/arch/v850/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
5783 +++ linux-2.6.16.12/arch/v850/kernel/module.c 2006-05-01 20:17:33.000000000 -0400
5784 @@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
5785 tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
5787 /* Init, or core PLT? */
5788 - if (location >= mod->module_core
5789 - && location < mod->module_core + mod->core_size)
5790 + if (location >= mod->module_core_rx
5791 + && location < mod->module_core_rx + mod->core_size_rx)
5792 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
5794 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
5795 diff -urNp linux-2.6.16.12/arch/x86_64/boot/compressed/head.S linux-2.6.16.12/arch/x86_64/boot/compressed/head.S
5796 --- linux-2.6.16.12/arch/x86_64/boot/compressed/head.S 2006-05-01 15:14:26.000000000 -0400
5797 +++ linux-2.6.16.12/arch/x86_64/boot/compressed/head.S 2006-05-01 20:17:33.000000000 -0400
5798 @@ -41,11 +41,13 @@ startup_32:
5801 lss stack_start,%esp
5802 + movl 0x000000,%ecx
5804 1: incl %eax # check that A20 really IS enabled
5805 movl %eax,0x000000 # loop forever if it isn't
5808 + movl %ecx,0x000000
5811 * Initialize eflags. Some BIOS's leave bits like NT set. This would
5812 diff -urNp linux-2.6.16.12/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.16.12/arch/x86_64/ia32/ia32_binfmt.c
5813 --- linux-2.6.16.12/arch/x86_64/ia32/ia32_binfmt.c 2006-05-01 15:14:26.000000000 -0400
5814 +++ linux-2.6.16.12/arch/x86_64/ia32/ia32_binfmt.c 2006-05-01 20:17:33.000000000 -0400
5815 @@ -186,6 +186,17 @@ struct elf_prpsinfo
5816 //#include <asm/ia32.h>
5817 #include <linux/elf.h>
5819 +#ifdef CONFIG_PAX_ASLR
5820 +#define PAX_ELF_ET_DYN_BASE(tsk) 0x08048000UL
5822 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
5823 +#define PAX_DELTA_MMAP_LEN(tsk) 16
5824 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
5825 +#define PAX_DELTA_EXEC_LEN(tsk) 16
5826 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
5827 +#define PAX_DELTA_STACK_LEN(tsk) 16
5830 typedef struct user_i387_ia32_struct elf_fpregset_t;
5831 typedef struct user32_fxsr_struct elf_fpxregset_t;
5833 diff -urNp linux-2.6.16.12/arch/x86_64/ia32/mmap32.c linux-2.6.16.12/arch/x86_64/ia32/mmap32.c
5834 --- linux-2.6.16.12/arch/x86_64/ia32/mmap32.c 2006-05-01 15:14:26.000000000 -0400
5835 +++ linux-2.6.16.12/arch/x86_64/ia32/mmap32.c 2006-05-01 20:17:33.000000000 -0400
5836 @@ -68,10 +68,22 @@ void ia32_pick_mmap_layout(struct mm_str
5837 (current->personality & ADDR_COMPAT_LAYOUT) ||
5838 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
5839 mm->mmap_base = TASK_UNMAPPED_BASE;
5841 +#ifdef CONFIG_PAX_RANDMMAP
5842 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5843 + mm->mmap_base += mm->delta_mmap;
5846 mm->get_unmapped_area = arch_get_unmapped_area;
5847 mm->unmap_area = arch_unmap_area;
5849 mm->mmap_base = mmap_base(mm);
5851 +#ifdef CONFIG_PAX_RANDMMAP
5852 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5853 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5856 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5857 mm->unmap_area = arch_unmap_area_topdown;
5859 diff -urNp linux-2.6.16.12/arch/x86_64/kernel/process.c linux-2.6.16.12/arch/x86_64/kernel/process.c
5860 --- linux-2.6.16.12/arch/x86_64/kernel/process.c 2006-05-01 15:14:26.000000000 -0400
5861 +++ linux-2.6.16.12/arch/x86_64/kernel/process.c 2006-05-01 20:17:33.000000000 -0400
5862 @@ -840,9 +840,3 @@ int dump_task_regs(struct task_struct *t
5866 -unsigned long arch_align_stack(unsigned long sp)
5868 - if (randomize_va_space)
5869 - sp -= get_random_int() % 8192;
5872 diff -urNp linux-2.6.16.12/arch/x86_64/kernel/ptrace.c linux-2.6.16.12/arch/x86_64/kernel/ptrace.c
5873 --- linux-2.6.16.12/arch/x86_64/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
5874 +++ linux-2.6.16.12/arch/x86_64/kernel/ptrace.c 2006-05-01 20:17:33.000000000 -0400
5876 #include <linux/audit.h>
5877 #include <linux/seccomp.h>
5878 #include <linux/signal.h>
5879 +#include <linux/grsecurity.h>
5881 #include <asm/uaccess.h>
5882 #include <asm/pgtable.h>
5883 diff -urNp linux-2.6.16.12/arch/x86_64/kernel/setup64.c linux-2.6.16.12/arch/x86_64/kernel/setup64.c
5884 --- linux-2.6.16.12/arch/x86_64/kernel/setup64.c 2006-05-01 15:14:26.000000000 -0400
5885 +++ linux-2.6.16.12/arch/x86_64/kernel/setup64.c 2006-05-01 20:17:33.000000000 -0400
5886 @@ -38,7 +38,6 @@ struct desc_ptr idt_descr = { 256 * 16,
5887 char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
5889 unsigned long __supported_pte_mask __read_mostly = ~0UL;
5890 -static int do_not_nx __cpuinitdata = 0;
5893 Control non executable mappings for 64bit processes.
5894 @@ -50,16 +49,14 @@ int __init nonx_setup(char *str)
5896 if (!strncmp(str, "on", 2)) {
5897 __supported_pte_mask |= _PAGE_NX;
5899 } else if (!strncmp(str, "off", 3)) {
5901 __supported_pte_mask &= ~_PAGE_NX;
5905 __setup("noexec=", nonx_setup); /* parsed early actually */
5907 -int force_personality32 = READ_IMPLIES_EXEC;
5908 +int force_personality32;
5911 Control non executable heap for 32bit processes.
5912 @@ -173,7 +170,7 @@ void __cpuinit check_efer(void)
5915 rdmsrl(MSR_EFER, efer);
5916 - if (!(efer & EFER_NX) || do_not_nx) {
5917 + if (!(efer & EFER_NX)) {
5918 __supported_pte_mask &= ~_PAGE_NX;
5921 diff -urNp linux-2.6.16.12/arch/x86_64/kernel/sys_x86_64.c linux-2.6.16.12/arch/x86_64/kernel/sys_x86_64.c
5922 --- linux-2.6.16.12/arch/x86_64/kernel/sys_x86_64.c 2006-05-01 15:14:26.000000000 -0400
5923 +++ linux-2.6.16.12/arch/x86_64/kernel/sys_x86_64.c 2006-05-01 20:17:33.000000000 -0400
5924 @@ -66,8 +66,8 @@ out:
5928 -static void find_start_end(unsigned long flags, unsigned long *begin,
5929 - unsigned long *end)
5930 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
5931 + unsigned long *begin, unsigned long *end)
5933 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
5934 /* This is usually used needed to map code in small
5935 @@ -80,7 +80,7 @@ static void find_start_end(unsigned long
5936 *begin = 0x40000000;
5939 - *begin = TASK_UNMAPPED_BASE;
5940 + *begin = mm->mmap_base;
5944 @@ -94,11 +94,15 @@ arch_get_unmapped_area(struct file *filp
5945 unsigned long start_addr;
5946 unsigned long begin, end;
5948 - find_start_end(flags, &begin, &end);
5949 + find_start_end(mm, flags, &begin, &end);
5954 +#ifdef CONFIG_PAX_RANDMMAP
5955 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
5959 addr = PAGE_ALIGN(addr);
5960 vma = find_vma(mm, addr);
5961 diff -urNp linux-2.6.16.12/arch/x86_64/mm/fault.c linux-2.6.16.12/arch/x86_64/mm/fault.c
5962 --- linux-2.6.16.12/arch/x86_64/mm/fault.c 2006-05-01 15:14:26.000000000 -0400
5963 +++ linux-2.6.16.12/arch/x86_64/mm/fault.c 2006-05-01 20:17:33.000000000 -0400
5965 #include <linux/compiler.h>
5966 #include <linux/module.h>
5967 #include <linux/kprobes.h>
5968 +#include <linux/binfmts.h>
5970 #include <asm/system.h>
5971 #include <asm/uaccess.h>
5972 @@ -292,6 +293,33 @@ static int vmalloc_fault(unsigned long a
5976 +#ifdef CONFIG_PAX_PAGEEXEC
5977 +void pax_report_insns(void *pc, void *sp)
5981 + printk(KERN_ERR "PAX: bytes at PC: ");
5982 + for (i = 0; i < 20; i++) {
5984 + if (get_user(c, (unsigned char __user *)pc+i))
5987 + printk("%02x ", c);
5991 + printk(KERN_ERR "PAX: bytes at SP-8: ");
5992 + for (i = -1; i < 10; i++) {
5994 + if (get_user(c, (unsigned long __user *)sp+i))
5995 + printk("???????????????? ");
5997 + printk("%016lx ", c);
6003 int page_fault_trace = 0;
6004 int exception_trace = 1;
6006 @@ -416,6 +444,8 @@ asmlinkage void __kprobes do_page_fault(
6008 info.si_code = SEGV_ACCERR;
6010 + if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
6012 switch (error_code & (PF_PROT|PF_WRITE)) {
6013 default: /* 3: write, present */
6015 @@ -482,7 +512,14 @@ bad_area_nosemaphore:
6016 tsk->comm, tsk->pid, address, regs->rip,
6017 regs->rsp, error_code);
6021 +#ifdef CONFIG_PAX_PAGEEXEC
6022 + if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & 16)) {
6023 + pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
6028 tsk->thread.cr2 = address;
6029 /* Kernel addresses are always protection faults */
6030 tsk->thread.error_code = error_code | (address >= TASK_SIZE);
6031 diff -urNp linux-2.6.16.12/arch/x86_64/mm/mmap.c linux-2.6.16.12/arch/x86_64/mm/mmap.c
6032 --- linux-2.6.16.12/arch/x86_64/mm/mmap.c 2006-05-01 15:14:26.000000000 -0400
6033 +++ linux-2.6.16.12/arch/x86_64/mm/mmap.c 2006-05-01 20:17:33.000000000 -0400
6034 @@ -24,6 +24,12 @@ void arch_pick_mmap_layout(struct mm_str
6035 unsigned rnd = get_random_int() & 0xfffffff;
6036 mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
6039 +#ifdef CONFIG_PAX_RANDMMAP
6040 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6041 + mm->mmap_base += mm->delta_mmap;
6044 mm->get_unmapped_area = arch_get_unmapped_area;
6045 mm->unmap_area = arch_unmap_area;
6047 diff -urNp linux-2.6.16.12/drivers/char/agp/frontend.c linux-2.6.16.12/drivers/char/agp/frontend.c
6048 --- linux-2.6.16.12/drivers/char/agp/frontend.c 2006-05-01 15:14:26.000000000 -0400
6049 +++ linux-2.6.16.12/drivers/char/agp/frontend.c 2006-05-01 20:17:33.000000000 -0400
6050 @@ -841,7 +841,7 @@ static int agpioc_reserve_wrap(struct ag
6051 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
6054 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
6055 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
6058 client = agp_find_client_by_pid(reserve.pid);
6059 diff -urNp linux-2.6.16.12/drivers/char/keyboard.c linux-2.6.16.12/drivers/char/keyboard.c
6060 --- linux-2.6.16.12/drivers/char/keyboard.c 2006-05-01 15:14:26.000000000 -0400
6061 +++ linux-2.6.16.12/drivers/char/keyboard.c 2006-05-01 20:17:33.000000000 -0400
6062 @@ -607,6 +607,16 @@ static void k_spec(struct vc_data *vc, u
6063 kbd->kbdmode == VC_MEDIUMRAW) &&
6064 value != KVAL(K_SAK))
6065 return; /* SAK is allowed even in raw mode */
6067 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
6069 + void *func = fn_handler[value];
6070 + if (func == fn_show_state || func == fn_show_ptregs ||
6071 + func == fn_show_mem)
6076 fn_handler[value](vc, regs);
6079 diff -urNp linux-2.6.16.12/drivers/char/mem.c linux-2.6.16.12/drivers/char/mem.c
6080 --- linux-2.6.16.12/drivers/char/mem.c 2006-05-01 15:14:26.000000000 -0400
6081 +++ linux-2.6.16.12/drivers/char/mem.c 2006-05-01 20:17:33.000000000 -0400
6083 #include <linux/crash_dump.h>
6084 #include <linux/backing-dev.h>
6085 #include <linux/bootmem.h>
6086 +#include <linux/grsecurity.h>
6088 #include <asm/uaccess.h>
6091 # include <linux/efi.h>
6094 +#ifdef CONFIG_GRKERNSEC
6095 +extern struct file_operations grsec_fops;
6099 * Architectures vary in how they handle caching for addresses
6100 * outside of main memory.
6101 @@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
6102 if (!valid_phys_addr_range(p, &count))
6105 +#ifdef CONFIG_GRKERNSEC_KMEM
6106 + gr_handle_mem_write();
6112 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
6113 @@ -258,6 +268,11 @@ static int mmap_mem(struct file * file,
6117 +#ifdef CONFIG_GRKERNSEC_KMEM
6118 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
6122 /* Remap-pfn-range will mark the range VM_IO and VM_RESERVED */
6123 if (remap_pfn_range(vma,
6125 @@ -487,6 +502,11 @@ static ssize_t write_kmem(struct file *
6127 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
6129 +#ifdef CONFIG_GRKERNSEC_KMEM
6130 + gr_handle_kmem_write();
6134 if (p < (unsigned long) high_memory) {
6137 @@ -633,9 +633,25 @@
6140 zap_page_range(vma, addr, count, NULL);
6141 - if (zeromap_page_range(vma, addr, count, PAGE_COPY))
6142 + if (zeromap_page_range(vma, addr, count, vma->vm_page_prot))
6145 +#ifdef CONFIG_PAX_SEGMEXEC
6146 + if (vma->vm_flags & VM_MIRROR) {
6147 + unsigned long addr_m;
6148 + struct vm_area_struct * vma_m;
6150 + addr_m = vma->vm_start + vma->vm_mirror;
6151 + vma_m = find_vma(mm, addr_m);
6152 + if (vma_m && vma_m->vm_start == addr_m && (vma_m->vm_flags & VM_MIRROR)) {
6153 + addr_m = addr + vma->vm_mirror;
6154 + zap_page_range(vma_m, addr_m, count, NULL);
6156 + printk(KERN_ERR "PAX: VMMIRROR: read_zero bug, %08lx, %08lx\n",
6157 + addr, vma->vm_start);
6164 @@ -762,6 +798,16 @@ static loff_t memory_lseek(struct file *
6166 static int open_port(struct inode * inode, struct file * filp)
6168 +#ifdef CONFIG_GRKERNSEC_KMEM
6169 + gr_handle_open_port();
6173 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
6176 +static int open_mem(struct inode * inode, struct file * filp)
6178 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
6181 @@ -769,7 +815,6 @@ static int open_port(struct inode * inod
6182 #define full_lseek null_lseek
6183 #define write_zero write_null
6184 #define read_full read_zero
6185 -#define open_mem open_port
6186 #define open_kmem open_mem
6187 #define open_oldmem open_mem
6189 @@ -891,6 +936,11 @@ static int memory_open(struct inode * in
6190 filp->f_op = &oldmem_fops;
6193 +#ifdef CONFIG_GRKERNSEC
6195 + filp->f_op = &grsec_fops;
6201 @@ -923,6 +973,9 @@ static const struct {
6202 #ifdef CONFIG_CRASH_DUMP
6203 {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
6205 +#ifdef CONFIG_GRKERNSEC
6206 + {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
6210 static struct class *mem_class;
6211 diff -urNp linux-2.6.16.12/drivers/char/random.c linux-2.6.16.12/drivers/char/random.c
6212 --- linux-2.6.16.12/drivers/char/random.c 2006-05-01 15:14:26.000000000 -0400
6213 +++ linux-2.6.16.12/drivers/char/random.c 2006-05-01 20:17:33.000000000 -0400
6214 @@ -249,8 +249,13 @@
6216 * Configuration information
6218 +#ifdef CONFIG_GRKERNSEC_RANDNET
6219 +#define INPUT_POOL_WORDS 256
6220 +#define OUTPUT_POOL_WORDS 64
6222 #define INPUT_POOL_WORDS 128
6223 #define OUTPUT_POOL_WORDS 32
6225 #define SEC_XFER_SIZE 512
6228 @@ -1659,3 +1664,25 @@ randomize_range(unsigned long start, uns
6230 return PAGE_ALIGN(get_random_int() % range + start);
6233 +#if defined(CONFIG_PAX_ASLR) || defined(CONFIG_GRKERNSEC)
6234 +unsigned long pax_get_random_long(void)
6236 + static time_t rekey_time;
6237 + static __u32 secret[12];
6241 + * Pick a random secret every REKEY_INTERVAL seconds.
6243 + t = get_seconds();
6244 + if (!rekey_time || (t - rekey_time) > REKEY_INTERVAL) {
6246 + get_random_bytes(secret, sizeof(secret));
6249 + secret[1] = half_md4_transform(secret+8, secret);
6250 + secret[0] = half_md4_transform(secret+8, secret);
6251 + return *(unsigned long *)secret;
6254 diff -urNp linux-2.6.16.12/drivers/char/vt_ioctl.c linux-2.6.16.12/drivers/char/vt_ioctl.c
6255 --- linux-2.6.16.12/drivers/char/vt_ioctl.c 2006-05-01 15:14:26.000000000 -0400
6256 +++ linux-2.6.16.12/drivers/char/vt_ioctl.c 2006-05-01 20:17:33.000000000 -0400
6257 @@ -96,6 +96,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
6262 +#ifdef CONFIG_GRKERNSEC
6263 + if (!capable(CAP_SYS_TTY_CONFIG))
6267 if (!i && v == K_NOSUCHMAP) {
6268 /* disallocate map */
6269 key_map = key_maps[s];
6270 @@ -236,6 +242,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
6274 +#ifdef CONFIG_GRKERNSEC
6275 + if (!capable(CAP_SYS_TTY_CONFIG)) {
6282 first_free = funcbufptr + (funcbufsize - funcbufleft);
6283 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
6284 diff -urNp linux-2.6.16.12/drivers/ieee1394/ohci1394.c linux-2.6.16.12/drivers/ieee1394/ohci1394.c
6285 --- linux-2.6.16.12/drivers/ieee1394/ohci1394.c 2006-05-01 15:14:26.000000000 -0400
6286 +++ linux-2.6.16.12/drivers/ieee1394/ohci1394.c 2006-05-01 20:17:33.000000000 -0400
6287 @@ -162,9 +162,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
6288 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
6290 /* Module Parameters */
6291 -static int phys_dma = 1;
6292 +static int phys_dma = 0;
6293 module_param(phys_dma, int, 0644);
6294 -MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
6295 +MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
6297 static void dma_trm_tasklet(unsigned long data);
6298 static void dma_trm_reset(struct dma_trm_ctx *d);
6299 diff -urNp linux-2.6.16.12/drivers/mtd/devices/doc2001.c linux-2.6.16.12/drivers/mtd/devices/doc2001.c
6300 --- linux-2.6.16.12/drivers/mtd/devices/doc2001.c 2006-05-01 15:14:26.000000000 -0400
6301 +++ linux-2.6.16.12/drivers/mtd/devices/doc2001.c 2006-05-01 20:17:33.000000000 -0400
6302 @@ -423,6 +423,8 @@ static int doc_read_ecc (struct mtd_info
6303 /* Don't allow read past end of device */
6304 if (from >= this->totlen)
6309 /* Don't allow a single read to cross a 512-byte block boundary */
6310 if (from + len > ((from | 0x1ff) + 1))
6311 diff -urNp linux-2.6.16.12/drivers/net/wan/sdla_ppp.c linux-2.6.16.12/drivers/net/wan/sdla_ppp.c
6312 --- linux-2.6.16.12/drivers/net/wan/sdla_ppp.c 2006-05-01 15:14:26.000000000 -0400
6313 +++ linux-2.6.16.12/drivers/net/wan/sdla_ppp.c 2006-05-01 20:17:33.000000000 -0400
6314 @@ -451,7 +451,7 @@ static int update(struct wan_device *wan
6315 sdla_t* card = wandev->private;
6316 struct net_device* dev;
6317 volatile ppp_private_area_t *ppp_priv_area;
6318 - ppp_flags_t *flags = card->flags;
6319 + ppp_flags_t *flags;
6320 unsigned long timeout;
6323 @@ -475,6 +475,7 @@ static int update(struct wan_device *wan
6325 ppp_priv_area->update_comms_stats = 2;
6326 ppp_priv_area->timer_int_enabled |= TMR_INT_ENABLED_UPDATE;
6327 + flags = card->flags;
6328 flags->imask |= PPP_INTR_TIMER;
6330 /* wait a maximum of 1 second for the statistics to be updated */
6331 diff -urNp linux-2.6.16.12/drivers/pci/proc.c linux-2.6.16.12/drivers/pci/proc.c
6332 --- linux-2.6.16.12/drivers/pci/proc.c 2006-05-01 15:14:26.000000000 -0400
6333 +++ linux-2.6.16.12/drivers/pci/proc.c 2006-05-01 20:17:33.000000000 -0400
6334 @@ -569,7 +569,15 @@ static struct file_operations proc_pci_o
6336 static void legacy_proc_init(void)
6338 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
6339 +#ifdef CONFIG_GRKERNSEC_PROC_USER
6340 + struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
6341 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
6342 + struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
6345 struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
6348 entry->proc_fops = &proc_pci_operations;
6350 @@ -598,7 +606,15 @@ static int __init pci_proc_init(void)
6352 struct proc_dir_entry *entry;
6353 struct pci_dev *dev = NULL;
6354 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
6355 +#ifdef CONFIG_GRKERNSEC_PROC_USER
6356 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
6357 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
6358 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
6361 proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
6363 entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
6365 entry->proc_fops = &proc_bus_pci_dev_operations;
6366 diff -urNp linux-2.6.16.12/drivers/pnp/pnpbios/bioscalls.c linux-2.6.16.12/drivers/pnp/pnpbios/bioscalls.c
6367 --- linux-2.6.16.12/drivers/pnp/pnpbios/bioscalls.c 2006-05-01 15:14:26.000000000 -0400
6368 +++ linux-2.6.16.12/drivers/pnp/pnpbios/bioscalls.c 2006-05-01 20:17:33.000000000 -0400
6369 @@ -65,7 +65,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
6370 set_limit(gdt[(selname) >> 3], size); \
6373 -static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
6374 +static struct desc_struct bad_bios_desc = { 0, 0x00409300 };
6377 * At some point we want to use this stack frame pointer to unwind
6378 @@ -93,6 +93,10 @@ static inline u16 call_pnp_bios(u16 func
6379 struct desc_struct save_desc_40;
6382 +#ifdef CONFIG_PAX_KERNEXEC
6383 + unsigned long cr0;
6387 * PnP BIOSes are generally not terribly re-entrant.
6388 * Also, don't rely on them to save everything correctly.
6389 @@ -107,6 +111,10 @@ static inline u16 call_pnp_bios(u16 func
6390 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
6391 spin_lock_irqsave(&pnp_bios_lock, flags);
6393 +#ifdef CONFIG_PAX_KERNEXEC
6394 + pax_open_kernel(cr0);
6397 /* The lock prevents us bouncing CPU here */
6399 Q2_SET_SEL(smp_processor_id(), PNP_TS1, ts1_base, ts1_size);
6400 @@ -142,9 +150,14 @@ static inline u16 call_pnp_bios(u16 func
6404 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
6406 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
6408 +#ifdef CONFIG_PAX_KERNEXEC
6409 + pax_close_kernel(cr0);
6412 + spin_unlock_irqrestore(&pnp_bios_lock, flags);
6415 /* If we get here and this is set then the PnP BIOS faulted on us. */
6416 diff -urNp linux-2.6.16.12/drivers/scsi/libata-scsi.c linux-2.6.16.12/drivers/scsi/libata-scsi.c
6417 --- linux-2.6.16.12/drivers/scsi/libata-scsi.c 2006-05-01 15:14:26.000000000 -0400
6418 +++ linux-2.6.16.12/drivers/scsi/libata-scsi.c 2006-05-01 20:17:33.000000000 -0400
6419 @@ -1591,7 +1591,7 @@ unsigned int ata_scsiop_inq_80(struct at
6423 -static const char * const inq_83_str = "Linux ATA-SCSI simulator";
6424 +static const char inq_83_str[] = "Linux ATA-SCSI simulator";
6427 * ata_scsiop_inq_83 - Simulate INQUIRY EVPD page 83, device identity
6428 @@ -1610,13 +1610,13 @@ unsigned int ata_scsiop_inq_83(struct at
6429 unsigned int buflen)
6431 rbuf[1] = 0x83; /* this page code */
6432 - rbuf[3] = 4 + strlen(inq_83_str); /* page len */
6433 + rbuf[3] = 3 + sizeof(inq_83_str); /* page len */
6435 /* our one and only identification descriptor (vendor-specific) */
6436 - if (buflen > (strlen(inq_83_str) + 4 + 4 - 1)) {
6437 + if (buflen >= (sizeof(inq_83_str) + 4 + 4 - 1)) {
6438 rbuf[4 + 0] = 2; /* code set: ASCII */
6439 - rbuf[4 + 3] = strlen(inq_83_str);
6440 - memcpy(rbuf + 4 + 4, inq_83_str, strlen(inq_83_str));
6441 + rbuf[4 + 3] = sizeof(inq_83_str)-1;
6442 + memcpy(rbuf + 4 + 4, inq_83_str, sizeof(inq_83_str)-1);
6446 diff -urNp linux-2.6.16.12/drivers/video/vesafb.c linux-2.6.16.12/drivers/video/vesafb.c
6447 --- linux-2.6.16.12/drivers/video/vesafb.c 2006-05-01 15:14:26.000000000 -0400
6448 +++ linux-2.6.16.12/drivers/video/vesafb.c 2006-05-01 20:17:33.000000000 -0400
6449 @@ -251,7 +251,7 @@ static int __init vesafb_probe(struct pl
6450 size_remap = size_total;
6451 vesafb_fix.smem_len = size_remap;
6454 +#if !defined(__i386__) || defined(CONFIG_PAX_KERNEXEC)
6455 screen_info.vesapm_seg = 0;
6458 diff -urNp linux-2.6.16.12/fs/binfmt_aout.c linux-2.6.16.12/fs/binfmt_aout.c
6459 --- linux-2.6.16.12/fs/binfmt_aout.c 2006-05-01 15:14:26.000000000 -0400
6460 +++ linux-2.6.16.12/fs/binfmt_aout.c 2006-05-01 20:17:33.000000000 -0400
6462 #include <linux/personality.h>
6463 #include <linux/init.h>
6464 #include <linux/vs_memory.h>
6465 +#include <linux/grsecurity.h>
6467 #include <asm/system.h>
6468 #include <asm/uaccess.h>
6469 @@ -124,10 +125,12 @@ static int aout_core_dump(long signr, st
6470 /* If the size of the dump file exceeds the rlimit, then see what would happen
6471 if we wrote the stack, but not the data area. */
6473 + gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
6474 if ((dump.u_dsize+dump.u_ssize) >
6475 current->signal->rlim[RLIMIT_CORE].rlim_cur)
6478 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
6479 if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
6480 current->signal->rlim[RLIMIT_CORE].rlim_cur)
6482 @@ -135,10 +138,12 @@ static int aout_core_dump(long signr, st
6484 /* Make sure we have enough room to write the stack and data areas. */
6486 + gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
6487 if ((dump.u_ssize) >
6488 current->signal->rlim[RLIMIT_CORE].rlim_cur)
6491 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
6492 if ((dump.u_ssize+1) * PAGE_SIZE >
6493 current->signal->rlim[RLIMIT_CORE].rlim_cur)
6495 @@ -288,6 +293,8 @@ static int load_aout_binary(struct linux
6496 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
6497 if (rlim >= RLIM_INFINITY)
6500 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
6501 if (ex.a_data + ex.a_bss > rlim)
6504 @@ -320,6 +327,28 @@ static int load_aout_binary(struct linux
6505 current->mm->mmap = NULL;
6506 compute_creds(bprm);
6507 current->flags &= ~PF_FORKNOEXEC;
6509 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
6510 + current->mm->pax_flags = 0UL;
6513 +#ifdef CONFIG_PAX_PAGEEXEC
6514 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
6515 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
6517 +#ifdef CONFIG_PAX_EMUTRAMP
6518 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
6519 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
6522 +#ifdef CONFIG_PAX_MPROTECT
6523 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
6524 + current->mm->pax_flags |= MF_PAX_MPROTECT;
6531 if (N_MAGIC(ex) == NMAGIC) {
6532 loff_t pos = fd_offset;
6533 @@ -415,7 +444,7 @@ static int load_aout_binary(struct linux
6535 down_write(¤t->mm->mmap_sem);
6536 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
6537 - PROT_READ | PROT_WRITE | PROT_EXEC,
6538 + PROT_READ | PROT_WRITE,
6539 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
6540 fd_offset + ex.a_text);
6541 up_write(¤t->mm->mmap_sem);
6542 diff -urNp linux-2.6.16.12/fs/binfmt_elf.c linux-2.6.16.12/fs/binfmt_elf.c
6543 --- linux-2.6.16.12/fs/binfmt_elf.c 2006-05-01 15:14:26.000000000 -0400
6544 +++ linux-2.6.16.12/fs/binfmt_elf.c 2006-05-01 20:17:33.000000000 -0400
6546 #include <linux/random.h>
6547 #include <linux/vs_memory.h>
6548 #include <linux/vs_cvirt.h>
6549 +#include <linux/grsecurity.h>
6551 #include <asm/uaccess.h>
6552 #include <asm/param.h>
6553 #include <asm/page.h>
6555 +#ifdef CONFIG_PAX_SEGMEXEC
6556 +#include <asm/desc.h>
6559 #include <linux/elf.h>
6561 static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs);
6562 @@ -91,6 +96,8 @@ static struct linux_binfmt elf_format =
6564 static int set_brk(unsigned long start, unsigned long end)
6566 + unsigned long e = end;
6568 start = ELF_PAGEALIGN(start);
6569 end = ELF_PAGEALIGN(end);
6571 @@ -101,7 +108,7 @@ static int set_brk(unsigned long start,
6575 - current->mm->start_brk = current->mm->brk = end;
6576 + current->mm->start_brk = current->mm->brk = e;
6580 @@ -317,10 +324,9 @@ static unsigned long load_elf_interp(str
6582 struct elf_phdr *elf_phdata;
6583 struct elf_phdr *eppnt;
6584 - unsigned long load_addr = 0;
6585 - int load_addr_set = 0;
6586 + unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
6587 unsigned long last_bss = 0, elf_bss = 0;
6588 - unsigned long error = ~0UL;
6589 + unsigned long error = -EINVAL;
6590 int retval, i, size;
6592 /* First of all, some simple consistency checks */
6593 @@ -359,59 +365,80 @@ static unsigned long load_elf_interp(str
6597 +#ifdef CONFIG_PAX_SEGMEXEC
6598 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6599 + task_size = SEGMEXEC_TASK_SIZE;
6603 + min_addr = task_size;
6607 for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
6608 - if (eppnt->p_type == PT_LOAD) {
6609 - int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
6611 - unsigned long vaddr = 0;
6612 - unsigned long k, map_addr;
6614 - if (eppnt->p_flags & PF_R) elf_prot = PROT_READ;
6615 - if (eppnt->p_flags & PF_W) elf_prot |= PROT_WRITE;
6616 - if (eppnt->p_flags & PF_X) elf_prot |= PROT_EXEC;
6617 - vaddr = eppnt->p_vaddr;
6618 - if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
6619 - elf_type |= MAP_FIXED;
6621 - map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
6623 - if (BAD_ADDR(map_addr))
6626 - if (!load_addr_set && interp_elf_ex->e_type == ET_DYN) {
6627 - load_addr = map_addr - ELF_PAGESTART(vaddr);
6628 - load_addr_set = 1;
6632 - * Check to see if the section's size will overflow the
6633 - * allowed task size. Note that p_filesz must always be
6634 - * <= p_memsize so it is only necessary to check p_memsz.
6636 - k = load_addr + eppnt->p_vaddr;
6637 - if (BAD_ADDR(k) || eppnt->p_filesz > eppnt->p_memsz ||
6638 - eppnt->p_memsz > TASK_SIZE || TASK_SIZE - eppnt->p_memsz < k) {
6640 + if (eppnt->p_type != PT_LOAD)
6644 + * Check to see if the section's size will overflow the
6645 + * allowed task size. Note that p_filesz must always be
6646 + * <= p_memsize so it is only necessary to check p_memsz.
6648 + if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
6651 + if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
6652 + min_addr = ELF_PAGESTART(eppnt->p_vaddr);
6653 + if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
6654 + max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
6656 + if (min_addr >= max_addr)
6661 - * Find the end of the file mapping for this phdr, and keep
6662 - * track of the largest address we see for this.
6664 - k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
6669 - * Do the same thing for the memory mapping - between
6670 - * elf_bss and last_bss is the bss section.
6672 - k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
6676 + eppnt = elf_phdata;
6677 + for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
6678 + int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
6680 + unsigned long vaddr;
6681 + unsigned long k, map_addr;
6683 + if (eppnt->p_type != PT_LOAD)
6686 + if (eppnt->p_flags & PF_R) elf_prot = PROT_READ;
6687 + if (eppnt->p_flags & PF_W) elf_prot |= PROT_WRITE;
6688 + if (eppnt->p_flags & PF_X) elf_prot |= PROT_EXEC;
6689 + vaddr = eppnt->p_vaddr;
6691 + if (!load_addr && interp_elf_ex->e_type == ET_DYN) {
6692 + load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
6694 + if (load_addr > task_size)
6697 + load_addr -= min_addr;
6700 + map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
6702 + if (BAD_ADDR(map_addr))
6706 + * Find the end of the file mapping for this phdr, and keep
6707 + * track of the largest address we see for this.
6709 + k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
6714 + * Do the same thing for the memory mapping - between
6715 + * elf_bss and last_bss is the bss section.
6717 + k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
6723 @@ -448,7 +475,7 @@ out:
6724 static unsigned long load_aout_interp(struct exec * interp_ex,
6725 struct file * interpreter)
6727 - unsigned long text_data, elf_entry = ~0UL;
6728 + unsigned long text_data, elf_entry = -EINVAL;
6732 @@ -492,6 +519,180 @@ out:
6736 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
6737 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
6739 + unsigned long pax_flags = 0UL;
6741 +#ifdef CONFIG_PAX_PAGEEXEC
6742 + if (elf_phdata->p_flags & PF_PAGEEXEC)
6743 + pax_flags |= MF_PAX_PAGEEXEC;
6746 +#ifdef CONFIG_PAX_SEGMEXEC
6747 + if (elf_phdata->p_flags & PF_SEGMEXEC)
6748 + pax_flags |= MF_PAX_SEGMEXEC;
6751 +#ifdef CONFIG_PAX_DEFAULT_PAGEEXEC
6752 + if (pax_flags & MF_PAX_PAGEEXEC)
6753 + pax_flags &= ~MF_PAX_SEGMEXEC;
6756 +#ifdef CONFIG_PAX_DEFAULT_SEGMEXEC
6757 + if (pax_flags & MF_PAX_SEGMEXEC)
6758 + pax_flags &= ~MF_PAX_PAGEEXEC;
6761 +#ifdef CONFIG_PAX_EMUTRAMP
6762 + if (elf_phdata->p_flags & PF_EMUTRAMP)
6763 + pax_flags |= MF_PAX_EMUTRAMP;
6766 +#ifdef CONFIG_PAX_MPROTECT
6767 + if (elf_phdata->p_flags & PF_MPROTECT)
6768 + pax_flags |= MF_PAX_MPROTECT;
6771 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
6772 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
6773 + pax_flags |= MF_PAX_RANDMMAP;
6780 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
6781 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
6783 + unsigned long pax_flags = 0UL;
6785 +#ifdef CONFIG_PAX_PAGEEXEC
6786 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
6787 + pax_flags |= MF_PAX_PAGEEXEC;
6790 +#ifdef CONFIG_PAX_SEGMEXEC
6791 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
6792 + pax_flags |= MF_PAX_SEGMEXEC;
6795 +#ifdef CONFIG_PAX_DEFAULT_PAGEEXEC
6796 + if (pax_flags & MF_PAX_PAGEEXEC)
6797 + pax_flags &= ~MF_PAX_SEGMEXEC;
6800 +#ifdef CONFIG_PAX_DEFAULT_SEGMEXEC
6801 + if (pax_flags & MF_PAX_SEGMEXEC)
6802 + pax_flags &= ~MF_PAX_PAGEEXEC;
6805 +#ifdef CONFIG_PAX_EMUTRAMP
6806 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
6807 + pax_flags |= MF_PAX_EMUTRAMP;
6810 +#ifdef CONFIG_PAX_MPROTECT
6811 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
6812 + pax_flags |= MF_PAX_MPROTECT;
6815 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
6816 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
6817 + pax_flags |= MF_PAX_RANDMMAP;
6824 +#ifdef CONFIG_PAX_EI_PAX
6825 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
6827 + unsigned long pax_flags = 0UL;
6829 +#ifdef CONFIG_PAX_PAGEEXEC
6830 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
6831 + pax_flags |= MF_PAX_PAGEEXEC;
6834 +#ifdef CONFIG_PAX_SEGMEXEC
6835 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
6836 + pax_flags |= MF_PAX_SEGMEXEC;
6839 +#ifdef CONFIG_PAX_DEFAULT_PAGEEXEC
6840 + if (pax_flags & MF_PAX_PAGEEXEC)
6841 + pax_flags &= ~MF_PAX_SEGMEXEC;
6844 +#ifdef CONFIG_PAX_DEFAULT_SEGMEXEC
6845 + if (pax_flags & MF_PAX_SEGMEXEC)
6846 + pax_flags &= ~MF_PAX_PAGEEXEC;
6849 +#ifdef CONFIG_PAX_EMUTRAMP
6850 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
6851 + pax_flags |= MF_PAX_EMUTRAMP;
6854 +#ifdef CONFIG_PAX_MPROTECT
6855 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
6856 + pax_flags |= MF_PAX_MPROTECT;
6859 +#ifdef CONFIG_PAX_ASLR
6860 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
6861 + pax_flags |= MF_PAX_RANDMMAP;
6868 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
6869 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
6871 + unsigned long pax_flags = 0UL;
6873 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
6877 +#ifdef CONFIG_PAX_EI_PAX
6878 + pax_flags = pax_parse_ei_pax(elf_ex);
6881 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
6882 + for (i = 0UL; i < elf_ex->e_phnum; i++)
6883 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
6884 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
6885 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
6886 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
6887 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
6888 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
6891 +#ifdef CONFIG_PAX_SOFTMODE
6893 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
6897 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
6902 + if (0 > pax_check_flags(&pax_flags))
6905 + current->mm->pax_flags = pax_flags;
6911 * These are the functions used to load ELF style executables and shared
6912 * libraries. There is no binary dependent code anywhere else.
6913 @@ -523,7 +724,7 @@ static int load_elf_binary(struct linux_
6914 char * elf_interpreter = NULL;
6915 unsigned int interpreter_type = INTERPRETER_NONE;
6916 unsigned char ibcs2_interpreter = 0;
6917 - unsigned long error;
6918 + unsigned long error = 0;
6919 struct elf_phdr * elf_ppnt, *elf_phdata;
6920 unsigned long elf_bss, elf_brk;
6921 int elf_exec_fileno;
6922 @@ -541,6 +742,7 @@ static int load_elf_binary(struct linux_
6923 struct elfhdr interp_elf_ex;
6924 struct exec interp_ex;
6926 + unsigned long task_size = TASK_SIZE;
6928 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
6930 @@ -766,14 +968,88 @@ static int load_elf_binary(struct linux_
6931 current->mm->end_code = 0;
6932 current->mm->mmap = NULL;
6933 current->flags &= ~PF_FORKNOEXEC;
6935 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
6936 + current->mm->pax_flags = 0UL;
6939 +#ifdef CONFIG_PAX_DLRESOLVE
6940 + current->mm->call_dl_resolve = 0UL;
6943 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
6944 + current->mm->call_syscall = 0UL;
6947 +#ifdef CONFIG_PAX_ASLR
6948 + current->mm->delta_mmap = 0UL;
6949 + current->mm->delta_exec = 0UL;
6950 + current->mm->delta_stack = 0UL;
6953 current->mm->def_flags = def_flags;
6955 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
6956 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
6957 + send_sig(SIGKILL, current, 0);
6958 + goto out_free_dentry;
6962 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
6963 + pax_set_initial_flags(bprm);
6964 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
6965 + if (pax_set_initial_flags_func)
6966 + (pax_set_initial_flags_func)(bprm);
6969 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
6970 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC)
6971 + current->mm->context.user_cs_limit = PAGE_SIZE;
6974 +#ifdef CONFIG_PAX_SEGMEXEC
6975 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
6976 + int cpu = get_cpu();
6978 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
6979 + current->mm->context.user_cs_limit = -SEGMEXEC_TASK_SIZE;
6980 + set_user_cs(current->mm, cpu);
6982 + task_size = SEGMEXEC_TASK_SIZE;
6986 +#ifdef CONFIG_PAX_ASLR
6987 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
6988 +#define pax_delta_mask(delta, lsb, len) (((delta) & ((1UL << (len)) - 1)) << (lsb))
6990 + current->mm->delta_mmap = pax_delta_mask(pax_get_random_long(), PAX_DELTA_MMAP_LSB(current), PAX_DELTA_MMAP_LEN(current));
6991 + current->mm->delta_exec = pax_delta_mask(pax_get_random_long(), PAX_DELTA_EXEC_LSB(current), PAX_DELTA_EXEC_LEN(current));
6992 + current->mm->delta_stack = pax_delta_mask(pax_get_random_long(), PAX_DELTA_STACK_LSB(current), PAX_DELTA_STACK_LEN(current));
6996 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6997 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
6998 + executable_stack = EXSTACK_DEFAULT;
7001 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
7002 may depend on the personality. */
7003 SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
7005 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7006 + if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
7009 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
7010 current->personality |= READ_IMPLIES_EXEC;
7012 +#ifdef CONFIG_PAX_ASLR
7013 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
7016 if ( !(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7017 current->flags |= PF_RANDOMIZE;
7018 arch_pick_mmap_layout(current->mm);
7019 @@ -845,6 +1121,15 @@ static int load_elf_binary(struct linux_
7020 base, as well as whatever program they might try to exec. This
7021 is because the brk will follow the loader, and is not movable. */
7022 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
7024 +#ifdef CONFIG_PAX_RANDMMAP
7025 + /* PaX: randomize base address at the default exe base if requested */
7026 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
7027 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE(current) - vaddr + current->mm->delta_exec);
7028 + elf_flags |= MAP_FIXED;
7034 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
7035 @@ -872,9 +1157,9 @@ static int load_elf_binary(struct linux_
7036 * allowed task size. Note that p_filesz must always be
7037 * <= p_memsz so it is only necessary to check p_memsz.
7039 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
7040 - elf_ppnt->p_memsz > TASK_SIZE ||
7041 - TASK_SIZE - elf_ppnt->p_memsz < k) {
7042 + if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
7043 + elf_ppnt->p_memsz > task_size ||
7044 + task_size - elf_ppnt->p_memsz < k) {
7045 /* set_brk can never work. Avoid overflows. */
7046 send_sig(SIGKILL, current, 0);
7047 goto out_free_dentry;
7048 @@ -901,6 +1186,12 @@ static int load_elf_binary(struct linux_
7049 start_data += load_bias;
7050 end_data += load_bias;
7052 +#ifdef CONFIG_PAX_RANDMMAP
7053 + if (randomize_va_space)
7054 + elf_brk += PAGE_SIZE + pax_delta_mask(pax_get_random_long(), 4, PAGE_SHIFT);
7055 +#undef pax_delta_mask
7058 /* Calling set_brk effectively mmaps the pages that we need
7059 * for the bss and break sections. We must do this before
7060 * mapping in the interpreter, to make sure it doesn't wind
7061 @@ -1153,7 +1444,7 @@ static int dump_seek(struct file *file,
7063 * I think we should skip something. But I am not sure how. H.J.
7065 -static int maydump(struct vm_area_struct *vma)
7066 +static int maydump(struct vm_area_struct *vma, long signr)
7068 /* Do not dump I/O mapped devices or special mappings */
7069 if (vma->vm_flags & (VM_IO | VM_RESERVED))
7070 @@ -1164,7 +1455,7 @@ static int maydump(struct vm_area_struct
7071 return vma->vm_file->f_dentry->d_inode->i_nlink == 0;
7073 /* If it hasn't been written to, don't write it out */
7074 - if (!vma->anon_vma)
7075 + if (signr != SIGKILL && !vma->anon_vma)
7079 @@ -1218,8 +1509,11 @@ static int writenote(struct memelfnote *
7082 #define DUMP_WRITE(addr, nr) \
7084 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
7085 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
7086 - goto end_coredump;
7087 + goto end_coredump; \
7089 #define DUMP_SEEK(off) \
7090 if (!dump_seek(file, (off))) \
7092 @@ -1570,7 +1864,7 @@ static int elf_core_dump(long signr, str
7093 phdr.p_offset = offset;
7094 phdr.p_vaddr = vma->vm_start;
7096 - phdr.p_filesz = maydump(vma) ? sz : 0;
7097 + phdr.p_filesz = maydump(vma, signr) ? sz : 0;
7099 offset += phdr.p_filesz;
7100 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
7101 @@ -1603,7 +1897,7 @@ static int elf_core_dump(long signr, str
7102 for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
7105 - if (!maydump(vma))
7106 + if (!maydump(vma, signr))
7109 for (addr = vma->vm_start;
7110 @@ -1622,6 +1916,7 @@ static int elf_core_dump(long signr, str
7112 flush_cache_page(vma, addr, page_to_pfn(page));
7114 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
7115 if ((size += PAGE_SIZE) > limit ||
7116 !dump_write(file, kaddr,
7118 diff -urNp linux-2.6.16.12/fs/binfmt_flat.c linux-2.6.16.12/fs/binfmt_flat.c
7119 --- linux-2.6.16.12/fs/binfmt_flat.c 2006-05-01 15:14:26.000000000 -0400
7120 +++ linux-2.6.16.12/fs/binfmt_flat.c 2006-05-01 20:17:33.000000000 -0400
7121 @@ -542,7 +542,9 @@ static int load_flat_file(struct linux_b
7122 realdatastart = (unsigned long) -ENOMEM;
7123 printk("Unable to allocate RAM for process data, errno %d\n",
7125 + down_write(¤t->mm->mmap_sem);
7126 do_munmap(current->mm, textpos, text_len);
7127 + up_write(¤t->mm->mmap_sem);
7128 return realdatastart;
7130 datapos = realdatastart + MAX_SHARED_LIBS * sizeof(unsigned long);
7131 @@ -563,8 +565,10 @@ static int load_flat_file(struct linux_b
7133 if (result >= (unsigned long)-4096) {
7134 printk("Unable to read data+bss, errno %d\n", (int)-result);
7135 + down_write(¤t->mm->mmap_sem);
7136 do_munmap(current->mm, textpos, text_len);
7137 do_munmap(current->mm, realdatastart, data_len + extra);
7138 + up_write(¤t->mm->mmap_sem);
7142 @@ -626,8 +630,10 @@ static int load_flat_file(struct linux_b
7144 if (result >= (unsigned long)-4096) {
7145 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
7146 + down_write(¤t->mm->mmap_sem);
7147 do_munmap(current->mm, textpos, text_len + data_len + extra +
7148 MAX_SHARED_LIBS * sizeof(unsigned long));
7149 + up_write(¤t->mm->mmap_sem);
7153 diff -urNp linux-2.6.16.12/fs/binfmt_misc.c linux-2.6.16.12/fs/binfmt_misc.c
7154 --- linux-2.6.16.12/fs/binfmt_misc.c 2006-05-01 15:14:26.000000000 -0400
7155 +++ linux-2.6.16.12/fs/binfmt_misc.c 2006-05-01 20:17:33.000000000 -0400
7156 @@ -112,9 +112,11 @@ static int load_misc_binary(struct linux
7157 struct files_struct *files = NULL;
7161 + if (!enabled || bprm->misc)
7166 /* to keep locking time low, we copy the interpreter string */
7167 read_lock(&entries_lock);
7168 fmt = check_file(bprm);
7169 diff -urNp linux-2.6.16.12/fs/buffer.c linux-2.6.16.12/fs/buffer.c
7170 --- linux-2.6.16.12/fs/buffer.c 2006-05-01 15:14:26.000000000 -0400
7171 +++ linux-2.6.16.12/fs/buffer.c 2006-05-01 20:17:33.000000000 -0400
7173 #include <linux/bitops.h>
7174 #include <linux/mpage.h>
7175 #include <linux/bit_spinlock.h>
7176 +#include <linux/grsecurity.h>
7178 static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
7179 static void invalidate_bh_lrus(void);
7180 @@ -2166,6 +2167,7 @@ static int __generic_cont_expand(struct
7183 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
7184 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
7185 if (limit != RLIM_INFINITY && size > (loff_t)limit) {
7186 send_sig(SIGXFSZ, current, 0);
7188 diff -urNp linux-2.6.16.12/fs/compat.c linux-2.6.16.12/fs/compat.c
7189 --- linux-2.6.16.12/fs/compat.c 2006-05-01 15:14:26.000000000 -0400
7190 +++ linux-2.6.16.12/fs/compat.c 2006-05-01 20:17:33.000000000 -0400
7192 #include <linux/rwsem.h>
7193 #include <linux/acct.h>
7194 #include <linux/mm.h>
7195 +#include <linux/grsecurity.h>
7197 #include <net/sock.h> /* siocdevprivate_ioctl */
7199 @@ -1476,6 +1477,11 @@ int compat_do_execve(char * filename,
7203 +#ifdef CONFIG_GRKERNSEC
7204 + struct file *old_exec_file;
7205 + struct acl_subject_label *old_acl;
7206 + struct rlimit old_rlim[RLIM_NLIMITS];
7210 bprm = kmalloc(sizeof(*bprm), GFP_KERNEL);
7211 @@ -1494,6 +1500,15 @@ int compat_do_execve(char * filename,
7213 bprm->filename = filename;
7214 bprm->interp = filename;
7216 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes), 1);
7218 + if (gr_handle_nproc())
7221 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
7224 bprm->mm = mm_alloc();
7227 @@ -1532,10 +1547,39 @@ int compat_do_execve(char * filename,
7231 + if (!gr_tpe_allow(file)) {
7236 + if (gr_check_crash_exec(file)) {
7241 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
7243 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
7245 +#ifdef CONFIG_GRKERNSEC
7246 + old_acl = current->acl;
7247 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
7248 + old_exec_file = current->exec_file;
7250 + current->exec_file = file;
7253 + gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
7255 retval = search_binary_handler(bprm, regs);
7257 free_arg_pages(bprm);
7259 +#ifdef CONFIG_GRKERNSEC
7260 + if (old_exec_file)
7261 + fput(old_exec_file);
7264 /* execve success */
7265 security_bprm_free(bprm);
7266 acct_update_integrals(current);
7267 @@ -1543,6 +1587,13 @@ int compat_do_execve(char * filename,
7271 +#ifdef CONFIG_GRKERNSEC
7272 + current->acl = old_acl;
7273 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
7274 + fput(current->exec_file);
7275 + current->exec_file = old_exec_file;
7279 /* Something went wrong, return the inode and free the argument pages*/
7280 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
7281 diff -urNp linux-2.6.16.12/fs/dcache.c linux-2.6.16.12/fs/dcache.c
7282 --- linux-2.6.16.12/fs/dcache.c 2006-05-01 15:14:26.000000000 -0400
7283 +++ linux-2.6.16.12/fs/dcache.c 2006-05-01 20:17:33.000000000 -0400
7284 @@ -1370,7 +1370,7 @@ already_unhashed:
7286 * "buflen" should be positive. Caller holds the dcache_lock.
7288 -static char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
7289 +char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
7290 struct dentry *root, struct vfsmount *rootmnt,
7291 char *buffer, int buflen)
7293 diff -urNp linux-2.6.16.12/fs/exec.c linux-2.6.16.12/fs/exec.c
7294 --- linux-2.6.16.12/fs/exec.c 2006-05-01 15:14:26.000000000 -0400
7295 +++ linux-2.6.16.12/fs/exec.c 2006-05-01 20:17:33.000000000 -0400
7297 #include <linux/cn_proc.h>
7298 #include <linux/vs_cvirt.h>
7299 #include <linux/vs_memory.h>
7300 +#include <linux/random.h>
7301 +#include <linux/grsecurity.h>
7303 #include <asm/uaccess.h>
7304 #include <asm/mmu_context.h>
7305 @@ -69,6 +71,15 @@ EXPORT_SYMBOL(suid_dumpable);
7306 static struct linux_binfmt *formats;
7307 static DEFINE_RWLOCK(binfmt_lock);
7309 +#ifdef CONFIG_PAX_SOFTMODE
7310 +unsigned int pax_softmode;
7313 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
7314 +void (*pax_set_initial_flags_func)(struct linux_binprm * bprm);
7315 +EXPORT_SYMBOL(pax_set_initial_flags_func);
7318 int register_binfmt(struct linux_binfmt * fmt)
7320 struct linux_binfmt ** tmp = &formats;
7321 @@ -314,6 +325,10 @@ void install_arg_page(struct vm_area_str
7322 if (unlikely(anon_vma_prepare(vma)))
7325 +#ifdef CONFIG_PAX_SEGMEXEC
7326 + if (page_count(page) == 1)
7329 flush_dcache_page(page);
7330 pte = get_locked_pte(mm, address, &ptl);
7332 @@ -323,9 +338,21 @@ void install_arg_page(struct vm_area_str
7335 inc_mm_counter(mm, anon_rss);
7337 +#ifdef CONFIG_PAX_SEGMEXEC
7338 + if (page_count(page) == 1)
7341 lru_cache_add_active(page);
7342 set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte(
7343 page, vma->vm_page_prot))));
7345 +#ifdef CONFIG_PAX_SEGMEXEC
7346 + if (page_count(page) != 1)
7347 + page_add_anon_rmap(page, vma, address);
7351 page_add_new_anon_rmap(page, vma, address);
7352 pte_unmap_unlock(pte, ptl);
7354 @@ -348,6 +375,10 @@ int setup_arg_pages(struct linux_binprm
7358 +#ifdef CONFIG_PAX_SEGMEXEC
7359 + struct vm_area_struct *mpnt_m = NULL;
7362 #ifdef CONFIG_STACK_GROWSUP
7363 /* Move the argument and environment strings to the bottom of the
7365 @@ -412,6 +443,18 @@ int setup_arg_pages(struct linux_binprm
7367 memset(mpnt, 0, sizeof(*mpnt));
7369 +#ifdef CONFIG_PAX_SEGMEXEC
7370 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (VM_STACK_FLAGS & VM_MAYEXEC)) {
7371 + mpnt_m = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
7373 + kmem_cache_free(vm_area_cachep, mpnt);
7377 + memset(mpnt_m, 0, sizeof(*mpnt_m));
7381 down_write(&mm->mmap_sem);
7384 @@ -432,14 +475,51 @@ int setup_arg_pages(struct linux_binprm
7386 mpnt->vm_flags = VM_STACK_FLAGS;
7387 mpnt->vm_flags |= mm->def_flags;
7389 +#ifdef CONFIG_PAX_PAGEEXEC
7390 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC))
7391 + mpnt->vm_page_prot = protection_map[(mpnt->vm_flags | VM_EXEC) & 0x7];
7395 mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7];
7396 if ((ret = insert_vm_struct(mm, mpnt))) {
7397 up_write(&mm->mmap_sem);
7398 kmem_cache_free(vm_area_cachep, mpnt);
7400 +#ifdef CONFIG_PAX_SEGMEXEC
7402 + kmem_cache_free(vm_area_cachep, mpnt_m);
7407 vx_vmpages_sub(mm, mm->total_vm - vma_pages(mpnt));
7408 mm->stack_vm = mm->total_vm;
7410 +#ifdef CONFIG_PAX_SEGMEXEC
7413 + if (!(mpnt->vm_flags & VM_EXEC)) {
7414 + mpnt_m->vm_flags &= ~(VM_READ | VM_WRITE | VM_EXEC);
7415 + mpnt_m->vm_page_prot = PAGE_NONE;
7417 + mpnt_m->vm_start += SEGMEXEC_TASK_SIZE;
7418 + mpnt_m->vm_end += SEGMEXEC_TASK_SIZE;
7419 + if ((ret = insert_vm_struct(mm, mpnt_m))) {
7420 + up_write(&mm->mmap_sem);
7421 + kmem_cache_free(vm_area_cachep, mpnt_m);
7424 + mpnt_m->vm_flags |= VM_MIRROR;
7425 + mpnt->vm_flags |= VM_MIRROR;
7426 + mpnt_m->vm_mirror = mpnt->vm_start - mpnt_m->vm_start;
7427 + mpnt->vm_mirror = mpnt_m->vm_start - mpnt->vm_start;
7428 + mpnt_m->vm_pgoff = mpnt->vm_pgoff;
7429 + mm->total_vm += vma_pages(mpnt_m);
7435 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
7436 @@ -447,6 +527,14 @@ int setup_arg_pages(struct linux_binprm
7438 bprm->page[i] = NULL;
7439 install_arg_page(mpnt, page, stack_base);
7441 +#ifdef CONFIG_PAX_SEGMEXEC
7443 + page_cache_get(page);
7444 + install_arg_page(mpnt_m, page, stack_base + SEGMEXEC_TASK_SIZE);
7449 stack_base += PAGE_SIZE;
7451 @@ -1144,6 +1232,11 @@ int do_execve(char * filename,
7455 +#ifdef CONFIG_GRKERNSEC
7456 + struct file *old_exec_file;
7457 + struct acl_subject_label *old_acl;
7458 + struct rlimit old_rlim[RLIM_NLIMITS];
7462 bprm = kmalloc(sizeof(*bprm), GFP_KERNEL);
7463 @@ -1156,10 +1249,29 @@ int do_execve(char * filename,
7467 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes), 1);
7469 + if (gr_handle_nproc()) {
7470 + allow_write_access(file);
7475 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
7476 + allow_write_access(file);
7483 bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
7485 +#ifdef CONFIG_PAX_RANDUSTACK
7486 + if (randomize_va_space)
7487 + bprm->p -= (pax_get_random_long() & ~(sizeof(void *)-1)) & ~PAGE_MASK;
7491 bprm->filename = filename;
7492 bprm->interp = filename;
7493 @@ -1201,8 +1313,38 @@ int do_execve(char * filename,
7497 + if (!gr_tpe_allow(file)) {
7502 + if (gr_check_crash_exec(file)) {
7507 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
7509 + gr_handle_exec_args(bprm, argv);
7511 +#ifdef CONFIG_GRKERNSEC
7512 + old_acl = current->acl;
7513 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
7514 + old_exec_file = current->exec_file;
7516 + current->exec_file = file;
7519 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
7523 retval = search_binary_handler(bprm,regs);
7525 +#ifdef CONFIG_GRKERNSEC
7526 + if (old_exec_file)
7527 + fput(old_exec_file);
7529 free_arg_pages(bprm);
7531 /* execve success */
7532 @@ -1212,6 +1354,14 @@ int do_execve(char * filename,
7537 +#ifdef CONFIG_GRKERNSEC
7538 + current->acl = old_acl;
7539 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
7540 + fput(current->exec_file);
7541 + current->exec_file = old_exec_file;
7545 /* Something went wrong, return the inode and free the argument pages*/
7546 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
7547 @@ -1372,6 +1522,114 @@ static void format_corename(char *corena
7551 +int pax_check_flags(unsigned long * flags)
7555 +#if !defined(__i386__) || !defined(CONFIG_PAX_SEGMEXEC)
7556 + if (*flags & MF_PAX_SEGMEXEC)
7558 + *flags &= ~MF_PAX_SEGMEXEC;
7563 + if ((*flags & MF_PAX_PAGEEXEC)
7565 +#ifdef CONFIG_PAX_PAGEEXEC
7566 + && (*flags & MF_PAX_SEGMEXEC)
7571 + *flags &= ~MF_PAX_PAGEEXEC;
7575 + if ((*flags & MF_PAX_MPROTECT)
7577 +#ifdef CONFIG_PAX_MPROTECT
7578 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
7583 + *flags &= ~MF_PAX_MPROTECT;
7587 + if ((*flags & MF_PAX_EMUTRAMP)
7589 +#ifdef CONFIG_PAX_EMUTRAMP
7590 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
7595 + *flags &= ~MF_PAX_EMUTRAMP;
7602 +EXPORT_SYMBOL(pax_check_flags);
7604 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7605 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
7607 + struct task_struct *tsk = current;
7608 + struct mm_struct *mm = current->mm;
7609 + char* buffer_exec = (char*)__get_free_page(GFP_ATOMIC);
7610 + char* buffer_fault = (char*)__get_free_page(GFP_ATOMIC);
7611 + char* path_exec=NULL;
7612 + char* path_fault=NULL;
7613 + unsigned long start=0UL, end=0UL, offset=0UL;
7615 + if (buffer_exec && buffer_fault) {
7616 + struct vm_area_struct* vma, * vma_exec=NULL, * vma_fault=NULL;
7618 + down_read(&mm->mmap_sem);
7620 + while (vma && (!vma_exec || !vma_fault)) {
7621 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
7623 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
7625 + vma = vma->vm_next;
7628 + path_exec = d_path(vma_exec->vm_file->f_dentry, vma_exec->vm_file->f_vfsmnt, buffer_exec, PAGE_SIZE);
7629 + if (IS_ERR(path_exec))
7630 + path_exec = "<path too long>";
7633 + start = vma_fault->vm_start;
7634 + end = vma_fault->vm_end;
7635 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
7636 + if (vma_fault->vm_file) {
7637 + path_fault = d_path(vma_fault->vm_file->f_dentry, vma_fault->vm_file->f_vfsmnt, buffer_fault, PAGE_SIZE);
7638 + if (IS_ERR(path_fault))
7639 + path_fault = "<path too long>";
7641 + path_fault = "<anonymous mapping>";
7643 + up_read(&mm->mmap_sem);
7645 + if (tsk->signal->curr_ip)
7646 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
7648 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
7649 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
7650 + "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
7651 + tsk->uid, tsk->euid, pc, sp);
7652 + free_page((unsigned long)buffer_exec);
7653 + free_page((unsigned long)buffer_fault);
7654 + pax_report_insns(pc, sp);
7655 + do_coredump(SIGKILL, SIGKILL, regs);
7659 static void zap_threads (struct mm_struct *mm)
7661 struct task_struct *g, *p;
7662 @@ -1489,6 +1747,10 @@ int do_coredump(long signr, int exit_cod
7664 clear_thread_flag(TIF_SIGPENDING);
7666 + if (signr == SIGKILL || signr == SIGILL)
7667 + gr_handle_brute_attach(current);
7669 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
7670 if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
7673 diff -urNp linux-2.6.16.12/fs/fcntl.c linux-2.6.16.12/fs/fcntl.c
7674 --- linux-2.6.16.12/fs/fcntl.c 2006-05-01 15:14:26.000000000 -0400
7675 +++ linux-2.6.16.12/fs/fcntl.c 2006-05-01 20:17:33.000000000 -0400
7677 #include <linux/signal.h>
7678 #include <linux/rcupdate.h>
7679 #include <linux/vs_limit.h>
7680 +#include <linux/grsecurity.h>
7682 #include <asm/poll.h>
7683 #include <asm/siginfo.h>
7684 @@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
7685 struct fdtable *fdt;
7688 + gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
7689 if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
7692 @@ -84,6 +86,7 @@ repeat:
7696 + gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
7697 if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
7699 if (!vx_files_avail(1))
7700 @@ -146,6 +149,8 @@ asmlinkage long sys_dup2(unsigned int ol
7701 struct files_struct * files = current->files;
7702 struct fdtable *fdt;
7704 + gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
7706 spin_lock(&files->file_lock);
7707 if (!(file = fcheck(oldfd)))
7709 @@ -435,7 +440,8 @@ static inline int sigio_perm(struct task
7710 return (((fown->euid == 0) ||
7711 (fown->euid == p->suid) || (fown->euid == p->uid) ||
7712 (fown->uid == p->suid) || (fown->uid == p->uid)) &&
7713 - !security_file_send_sigiotask(p, fown, sig));
7714 + !security_file_send_sigiotask(p, fown, sig) &&
7715 + !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
7718 static void send_sigio_to_task(struct task_struct *p,
7719 diff -urNp linux-2.6.16.12/fs/Kconfig linux-2.6.16.12/fs/Kconfig
7720 --- linux-2.6.16.12/fs/Kconfig 2006-05-01 15:14:26.000000000 -0400
7721 +++ linux-2.6.16.12/fs/Kconfig 2006-05-01 20:17:33.000000000 -0400
7722 @@ -796,7 +796,7 @@ config PROC_FS
7725 bool "/proc/kcore support" if !ARM
7726 - depends on PROC_FS && MMU
7727 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
7730 bool "/proc/vmcore support (EXPERIMENTAL)"
7731 diff -urNp linux-2.6.16.12/fs/namei.c linux-2.6.16.12/fs/namei.c
7732 --- linux-2.6.16.12/fs/namei.c 2006-05-01 15:14:26.000000000 -0400
7733 +++ linux-2.6.16.12/fs/namei.c 2006-05-01 20:17:33.000000000 -0400
7735 #include <linux/vserver/inode.h>
7736 #include <linux/vs_tag.h>
7737 #include <linux/vserver/debug.h>
7738 +#include <linux/grsecurity.h>
7739 #include <asm/namei.h>
7740 #include <asm/uaccess.h>
7742 @@ -632,6 +633,13 @@ static inline int do_follow_link(struct
7743 err = security_inode_follow_link(path->dentry, nd);
7747 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
7748 + path->dentry->d_inode, path->dentry, nd->mnt)) {
7753 current->link_count++;
7754 current->total_link_count++;
7756 @@ -994,11 +1002,18 @@ return_reval:
7760 + if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
7766 dput_path(&next, nd);
7769 + if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
7775 @@ -1652,6 +1667,17 @@ int open_namei(int dfd, const char *path
7780 + if (gr_handle_rawio(nd->dentry->d_inode)) {
7785 + if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
7793 @@ -1686,9 +1712,16 @@ do_last:
7795 /* Negative dentry, just create the file */
7796 if (!path.dentry->d_inode) {
7797 + if (!gr_acl_handle_creat(path.dentry, nd->dentry, nd->mnt, flag, mode)) {
7799 + mutex_unlock(&dir->d_inode->i_mutex);
7802 if (!IS_POSIXACL(dir->d_inode))
7803 mode &= ~current->fs->umask;
7804 error = vfs_create(dir->d_inode, path.dentry, mode, nd);
7806 + gr_handle_create(path.dentry, nd->mnt);
7807 mutex_unlock(&dir->d_inode->i_mutex);
7809 nd->dentry = path.dentry;
7810 @@ -1703,6 +1736,23 @@ do_last:
7812 * It already exists.
7815 + if (gr_handle_rawio(path.dentry->d_inode)) {
7816 + mutex_unlock(&dir->d_inode->i_mutex);
7820 + if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
7821 + mutex_unlock(&dir->d_inode->i_mutex);
7825 + if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
7826 + mutex_unlock(&dir->d_inode->i_mutex);
7831 mutex_unlock(&dir->d_inode->i_mutex);
7834 @@ -1768,6 +1818,13 @@ do_link:
7835 error = security_inode_follow_link(path.dentry, nd);
7839 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
7840 + path.dentry, nd->mnt)) {
7845 error = __do_follow_link(&path, nd);
7848 @@ -1889,6 +1946,22 @@ asmlinkage long sys_mknodat(int dfd, con
7849 if (!IS_POSIXACL(nd.dentry->d_inode))
7850 mode &= ~current->fs->umask;
7851 if (!IS_ERR(dentry)) {
7852 + if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
7855 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
7856 + path_release(&nd);
7860 + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
7863 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
7864 + path_release(&nd);
7868 switch (mode & S_IFMT) {
7869 case 0: case S_IFREG:
7870 error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
7871 @@ -1907,6 +1980,10 @@ asmlinkage long sys_mknodat(int dfd, con
7877 + gr_handle_create(dentry, nd.mnt);
7881 mutex_unlock(&nd.dentry->d_inode->i_mutex);
7882 @@ -1962,10 +2039,19 @@ asmlinkage long sys_mkdirat(int dfd, con
7883 dentry = lookup_create(&nd, 1);
7884 error = PTR_ERR(dentry);
7885 if (!IS_ERR(dentry)) {
7887 if (!IS_POSIXACL(nd.dentry->d_inode))
7888 mode &= ~current->fs->umask;
7889 - error = vfs_mkdir(nd.dentry->d_inode, dentry,
7892 + if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
7896 + error = vfs_mkdir(nd.dentry->d_inode, dentry,
7899 + gr_handle_create(dentry, nd.mnt);
7903 mutex_unlock(&nd.dentry->d_inode->i_mutex);
7904 @@ -2050,6 +2136,8 @@ static long do_rmdir(int dfd, const char
7906 struct dentry *dentry;
7907 struct nameidata nd;
7908 + ino_t saved_ino = 0;
7909 + dev_t saved_dev = 0;
7911 name = getname(pathname);
7913 @@ -2074,7 +2162,21 @@ static long do_rmdir(int dfd, const char
7914 dentry = lookup_hash(&nd);
7915 error = PTR_ERR(dentry);
7916 if (!IS_ERR(dentry)) {
7917 - error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
7919 + if (dentry->d_inode) {
7920 + if (dentry->d_inode->i_nlink <= 1) {
7921 + saved_ino = dentry->d_inode->i_ino;
7922 + saved_dev = dentry->d_inode->i_sb->s_dev;
7925 + if (!gr_acl_handle_rmdir(dentry, nd.mnt))
7930 + error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
7931 + if (!error && (saved_dev || saved_ino))
7932 + gr_handle_delete(saved_ino, saved_dev);
7935 mutex_unlock(&nd.dentry->d_inode->i_mutex);
7936 @@ -2134,6 +2236,8 @@ static long do_unlinkat(int dfd, const c
7937 struct dentry *dentry;
7938 struct nameidata nd;
7939 struct inode *inode = NULL;
7940 + ino_t saved_ino = 0;
7941 + dev_t saved_dev = 0;
7943 name = getname(pathname);
7945 @@ -2149,13 +2253,26 @@ static long do_unlinkat(int dfd, const c
7946 dentry = lookup_hash(&nd);
7947 error = PTR_ERR(dentry);
7948 if (!IS_ERR(dentry)) {
7950 /* Why not before? Because we want correct error value */
7951 if (nd.last.name[nd.last.len])
7953 inode = dentry->d_inode;
7956 + if (inode->i_nlink <= 1) {
7957 + saved_ino = inode->i_ino;
7958 + saved_dev = inode->i_sb->s_dev;
7961 + if (!gr_acl_handle_unlink(dentry, nd.mnt))
7964 atomic_inc(&inode->i_count);
7965 - error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
7968 + error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
7969 + if (!error && (saved_ino || saved_dev))
7970 + gr_handle_delete(saved_ino, saved_dev);
7974 @@ -2234,8 +2351,16 @@ asmlinkage long sys_symlinkat(const char
7975 dentry = lookup_create(&nd, 0);
7976 error = PTR_ERR(dentry);
7977 if (!IS_ERR(dentry)) {
7978 - error = vfs_symlink(nd.dentry->d_inode, dentry,
7979 - from, S_IALLUGO, &nd);
7981 + if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from))
7985 + error = vfs_symlink(nd.dentry->d_inode, dentry,
7986 + from, S_IALLUGO, &nd);
7989 + gr_handle_create(dentry, nd.mnt);
7992 mutex_unlock(&nd.dentry->d_inode->i_mutex);
7993 @@ -2328,8 +2453,21 @@ asmlinkage long sys_linkat(int olddfd, c
7994 new_dentry = lookup_create(&nd, 0);
7995 error = PTR_ERR(new_dentry);
7996 if (!IS_ERR(new_dentry)) {
7997 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
8000 + if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
8001 + old_nd.dentry->d_inode,
8002 + old_nd.dentry->d_inode->i_mode, to))
8004 + if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
8005 + old_nd.dentry, old_nd.mnt, to))
8008 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry,
8012 + gr_handle_create(new_dentry, nd.mnt);
8016 mutex_unlock(&nd.dentry->d_inode->i_mutex);
8017 @@ -2558,8 +2696,16 @@ static int do_rename(int olddfd, const c
8018 if (new_dentry == trap)
8021 - error = vfs_rename(old_dir->d_inode, old_dentry,
8022 + error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
8023 + old_dentry, old_dir->d_inode, oldnd.mnt,
8027 + error = vfs_rename(old_dir->d_inode, old_dentry,
8028 new_dir->d_inode, new_dentry);
8030 + gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
8031 + new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
8035 diff -urNp linux-2.6.16.12/fs/namespace.c linux-2.6.16.12/fs/namespace.c
8036 --- linux-2.6.16.12/fs/namespace.c 2006-05-01 15:14:26.000000000 -0400
8037 +++ linux-2.6.16.12/fs/namespace.c 2006-05-01 20:17:33.000000000 -0400
8039 #include <linux/mount.h>
8040 #include <linux/vserver/namespace.h>
8041 #include <linux/vserver/tag.h>
8042 +#include <linux/sched.h>
8043 +#include <linux/grsecurity.h>
8044 #include <asm/uaccess.h>
8045 #include <asm/unistd.h>
8047 @@ -630,6 +632,8 @@ static int do_umount(struct vfsmount *mn
8048 DQUOT_OFF(sb->s_dqh);
8049 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
8052 + gr_log_remount(mnt->mnt_devname, retval);
8054 up_write(&sb->s_umount);
8056 @@ -650,6 +654,9 @@ static int do_umount(struct vfsmount *mn
8057 security_sb_umount_busy(mnt);
8058 up_write(&namespace_sem);
8059 release_mounts(&umount_list);
8061 + gr_log_unmount(mnt->mnt_devname, retval);
8066 @@ -1400,6 +1407,11 @@ long do_mount(char *dev_name, char *dir_
8070 + if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
8075 if (flags & MS_REMOUNT)
8076 retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
8078 @@ -1414,6 +1426,9 @@ long do_mount(char *dev_name, char *dir_
8079 dev_name, data_page);
8083 + gr_log_mount(dev_name, dir_name, retval);
8088 @@ -1666,6 +1681,9 @@ asmlinkage long sys_pivot_root(const cha
8089 if (!capable(CAP_SYS_ADMIN))
8092 + if (gr_handle_chroot_pivot())
8097 error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
8098 diff -urNp linux-2.6.16.12/fs/open.c linux-2.6.16.12/fs/open.c
8099 --- linux-2.6.16.12/fs/open.c 2006-05-01 15:14:26.000000000 -0400
8100 +++ linux-2.6.16.12/fs/open.c 2006-05-01 20:17:33.000000000 -0400
8102 #include <linux/vs_limit.h>
8103 #include <linux/vs_dlimit.h>
8104 #include <linux/vserver/tag.h>
8105 +#include <linux/grsecurity.h>
8107 #include <asm/unistd.h>
8109 @@ -211,6 +212,9 @@ int do_truncate(struct dentry *dentry, l
8113 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
8116 newattrs.ia_size = length;
8117 newattrs.ia_valid = ATTR_SIZE | time_attrs;
8119 @@ -411,6 +415,12 @@ asmlinkage long sys_utime(char __user *
8120 (error = vfs_permission(&nd, MAY_WRITE)) != 0)
8124 + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
8126 + goto dput_and_out;
8129 mutex_lock(&inode->i_mutex);
8130 error = notify_change(nd.dentry, &newattrs);
8131 mutex_unlock(&inode->i_mutex);
8132 @@ -464,6 +474,12 @@ long do_utimes(int dfd, char __user *fil
8133 (error = vfs_permission(&nd, MAY_WRITE)) != 0)
8137 + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
8139 + goto dput_and_out;
8142 mutex_lock(&inode->i_mutex);
8143 error = notify_change(nd.dentry, &newattrs);
8144 mutex_unlock(&inode->i_mutex);
8145 @@ -531,6 +547,10 @@ asmlinkage long sys_faccessat(int dfd, c
8146 && (IS_RDONLY(nd.dentry->d_inode) || MNT_IS_RDONLY(nd.mnt))
8147 && !special_file(nd.dentry->d_inode->i_mode))
8150 + if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
8156 @@ -559,6 +579,8 @@ asmlinkage long sys_chdir(const char __u
8160 + gr_log_chdir(nd.dentry, nd.mnt);
8162 set_fs_pwd(current->fs, nd.mnt, nd.dentry);
8165 @@ -589,6 +611,13 @@ asmlinkage long sys_fchdir(unsigned int
8168 error = file_permission(file, MAY_EXEC);
8170 + if (!error && !gr_chroot_fchdir(dentry, mnt))
8174 + gr_log_chdir(dentry, mnt);
8177 set_fs_pwd(current->fs, mnt, dentry);
8179 @@ -614,8 +643,16 @@ asmlinkage long sys_chroot(const char __
8180 if (!capable(CAP_SYS_CHROOT))
8183 + if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
8184 + goto dput_and_out;
8186 set_fs_root(current->fs, nd.mnt, nd.dentry);
8189 + gr_handle_chroot_caps(current);
8191 + gr_handle_chroot_chdir(nd.dentry, nd.mnt);
8196 @@ -644,9 +681,22 @@ asmlinkage long sys_fchmod(unsigned int
8198 if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
8201 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
8206 mutex_lock(&inode->i_mutex);
8207 if (mode == (mode_t) -1)
8208 mode = inode->i_mode;
8210 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
8212 + mutex_unlock(&inode->i_mutex);
8216 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
8217 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
8218 err = notify_change(dentry, &newattrs);
8219 @@ -679,9 +729,21 @@ asmlinkage long sys_fchmodat(int dfd, co
8220 if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
8223 + if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
8225 + goto dput_and_out;
8228 mutex_lock(&inode->i_mutex);
8229 if (mode == (mode_t) -1)
8230 mode = inode->i_mode;
8232 + if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
8234 + mutex_unlock(&inode->i_mutex);
8235 + goto dput_and_out;
8238 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
8239 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
8240 error = notify_change(nd.dentry, &newattrs);
8241 @@ -716,6 +778,12 @@ static int chown_common(struct dentry *
8243 if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
8246 + if (!gr_acl_handle_chown(dentry, mnt)) {
8251 newattrs.ia_valid = ATTR_CTIME;
8252 if (user != (uid_t) -1) {
8253 newattrs.ia_valid |= ATTR_UID;
8254 @@ -992,6 +1061,7 @@ repeat:
8255 * N.B. For clone tasks sharing a files structure, this test
8256 * will limit the total number of files that can be opened.
8258 + gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
8259 if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
8262 diff -urNp linux-2.6.16.12/fs/proc/array.c linux-2.6.16.12/fs/proc/array.c
8263 --- linux-2.6.16.12/fs/proc/array.c 2006-05-01 15:14:26.000000000 -0400
8264 +++ linux-2.6.16.12/fs/proc/array.c 2006-05-01 20:17:33.000000000 -0400
8265 @@ -306,6 +306,21 @@ static inline char *task_cap(struct task
8266 (unsigned)vx_info_mbcap(vxi, p->cap_effective));
8269 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
8270 +static inline char *task_pax(struct task_struct *p, char *buffer)
8273 + return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
8274 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
8275 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
8276 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
8277 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
8278 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
8280 + return buffer + sprintf(buffer, "PaX:\t-----\n");
8284 int proc_pid_status(struct task_struct *task, char * buffer)
8286 char * orig = buffer;
8287 @@ -370,9 +385,20 @@ int proc_pid_status(struct task_struct *
8288 #if defined(CONFIG_S390)
8289 buffer = task_show_regs(task, buffer);
8292 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
8293 + buffer = task_pax(task, buffer);
8296 return buffer - orig;
8299 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8300 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
8301 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
8302 + _mm->pax_flags & MF_PAX_SEGMEXEC))
8305 static int do_task_stat(struct task_struct *task, char * buffer, int whole)
8307 unsigned long vsize, eip, esp, wchan = ~0UL;
8308 @@ -463,6 +489,19 @@ static int do_task_stat(struct task_stru
8309 stime = task->stime;
8312 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8313 + if (PAX_RAND_FLAGS(mm)) {
8319 +#ifdef CONFIG_GRKERNSEC_HIDESYM
8325 /* scale priority and nice values from timeslices to -20..20 */
8326 /* to make it look like a "normal" Unix priority/nice value */
8327 priority = task_prio(task);
8328 @@ -514,9 +553,15 @@ static int do_task_stat(struct task_stru
8330 mm ? get_mm_rss(mm) : 0,
8332 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8333 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
8334 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
8335 + PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
8337 mm ? mm->start_code : 0,
8338 mm ? mm->end_code : 0,
8339 mm ? mm->start_stack : 0,
8343 /* The signal information here is obsolete.
8344 @@ -562,3 +607,14 @@ int proc_pid_statm(struct task_struct *t
8345 return sprintf(buffer,"%d %d %d %d %d %d %d\n",
8346 size, resident, shared, text, lib, data, 0);
8349 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
8350 +int proc_pid_ipaddr(struct task_struct *task, char * buffer)
8354 + len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
8359 diff -urNp linux-2.6.16.12/fs/proc/base.c linux-2.6.16.12/fs/proc/base.c
8360 --- linux-2.6.16.12/fs/proc/base.c 2006-05-01 15:14:26.000000000 -0400
8361 +++ linux-2.6.16.12/fs/proc/base.c 2006-05-01 20:17:33.000000000 -0400
8363 #include <linux/poll.h>
8364 #include <linux/vs_network.h>
8365 #include <linux/vs_pid.h>
8366 +#include <linux/grsecurity.h>
8367 #include "internal.h"
8370 @@ -128,6 +129,9 @@ enum pid_directory_inos {
8371 #ifdef CONFIG_AUDITSYSCALL
8374 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
8377 PROC_TGID_OOM_SCORE,
8378 PROC_TGID_OOM_ADJUST,
8380 @@ -207,6 +211,9 @@ static struct pid_entry tgid_base_stuff[
8381 E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
8382 E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
8383 E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
8384 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
8385 + E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
8388 E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO),
8390 @@ -417,7 +424,7 @@ static int proc_task_root_link(struct in
8391 (task->parent == current && \
8392 (task->ptrace & PT_PTRACED) && \
8393 (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
8394 - security_ptrace(current,task) == 0))
8395 + security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
8397 static int proc_pid_environ(struct task_struct *task, char * buffer)
8399 @@ -601,9 +608,25 @@ static int proc_check_root(struct inode
8401 static int proc_permission(struct inode *inode, int mask, struct nameidata *nd)
8403 + int ret = -EACCES;
8404 + struct task_struct *task;
8406 if (generic_permission(inode, mask, NULL) != 0)
8408 - return proc_check_root(inode);
8411 + ret = proc_check_root(inode);
8415 + task = proc_task(inode);
8420 + ret = gr_acl_handle_procpidmem(task);
8426 static int proc_task_permission(struct inode *inode, int mask, struct nameidata *nd)
8427 @@ -1361,6 +1384,9 @@ static struct inode *proc_pid_make_inode
8429 /* procfs is xid tagged */
8430 inode->i_tag = (tag_t)vx_task_xid(task);
8431 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
8432 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
8434 security_task_to_inode(task, inode);
8437 @@ -1394,7 +1420,9 @@ static int pid_revalidate(struct dentry
8438 if (pid_alive(task)) {
8439 if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
8440 inode->i_uid = task->euid;
8441 +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
8442 inode->i_gid = task->egid;
8447 @@ -1726,6 +1754,12 @@ static struct dentry *proc_pident_lookup
8448 inode->i_fop = &proc_info_file_operations;
8449 ei->op.proc_read = proc_pid_status;
8451 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
8452 + case PROC_TGID_IPADDR:
8453 + inode->i_fop = &proc_info_file_operations;
8454 + ei->op.proc_read = proc_pid_ipaddr;
8458 inode->i_fop = &proc_info_file_operations;
8459 ei->op.proc_read = proc_tid_stat;
8460 @@ -2066,11 +2100,35 @@ struct dentry *proc_pid_lookup(struct in
8461 if (!proc_pid_visible(task, tgid))
8464 + if (gr_check_hidden_task(task)) {
8465 + put_task_struct(task);
8469 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8470 + if (current->uid && (task->uid != current->uid)
8471 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
8472 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
8475 + put_task_struct(task);
8480 inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
8485 +#ifdef CONFIG_GRKERNSEC_PROC_USER
8486 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
8487 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8488 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
8489 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
8491 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
8493 inode->i_op = &proc_tgid_base_inode_operations;
8494 inode->i_fop = &proc_tgid_base_operations;
8495 inode->i_flags|=S_IMMUTABLE;
8496 @@ -2169,6 +2227,9 @@ out:
8497 static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
8499 struct task_struct *p;
8500 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8501 + struct task_struct *tmp = current;
8506 @@ -2193,6 +2254,18 @@ static int get_tgid_list(int index, unsi
8507 /* check for context visibility */
8508 if (!proc_pid_visible(p, tgid))
8510 + if (gr_pid_is_chrooted(p))
8512 + if (gr_check_hidden_task(p))
8514 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8515 + if (tmp->uid && (p->uid != tmp->uid)
8516 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
8517 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
8524 tgids[nr_tgids] = vx_map_tgid(tgid);
8525 diff -urNp linux-2.6.16.12/fs/proc/inode.c linux-2.6.16.12/fs/proc/inode.c
8526 --- linux-2.6.16.12/fs/proc/inode.c 2006-05-01 15:14:26.000000000 -0400
8527 +++ linux-2.6.16.12/fs/proc/inode.c 2006-05-01 20:17:33.000000000 -0400
8528 @@ -168,7 +168,11 @@ struct inode *proc_get_inode(struct supe
8530 inode->i_mode = de->mode;
8531 inode->i_uid = de->uid;
8532 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
8533 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
8535 inode->i_gid = de->gid;
8539 PROC_I(inode)->vx_flags = de->vx_flags;
8540 diff -urNp linux-2.6.16.12/fs/proc/internal.h linux-2.6.16.12/fs/proc/internal.h
8541 --- linux-2.6.16.12/fs/proc/internal.h 2006-05-01 15:14:26.000000000 -0400
8542 +++ linux-2.6.16.12/fs/proc/internal.h 2006-05-01 20:17:33.000000000 -0400
8543 @@ -36,6 +36,9 @@ extern int proc_tid_stat(struct task_str
8544 extern int proc_tgid_stat(struct task_struct *, char *);
8545 extern int proc_pid_status(struct task_struct *, char *);
8546 extern int proc_pid_statm(struct task_struct *, char *);
8547 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
8548 +extern int proc_pid_ipaddr(struct task_struct*,char*);
8551 void free_proc_entry(struct proc_dir_entry *de);
8553 diff -urNp linux-2.6.16.12/fs/proc/proc_misc.c linux-2.6.16.12/fs/proc/proc_misc.c
8554 --- linux-2.6.16.12/fs/proc/proc_misc.c 2006-05-01 15:14:26.000000000 -0400
8555 +++ linux-2.6.16.12/fs/proc/proc_misc.c 2006-05-01 20:17:33.000000000 -0400
8556 @@ -651,6 +651,8 @@ void create_seq_entry(char *name, mode_t
8557 void __init proc_misc_init(void)
8559 struct proc_dir_entry *entry;
8564 int (*read_proc)(char*,char**,off_t,int,int*,void*);
8565 @@ -666,7 +668,9 @@ void __init proc_misc_init(void)
8566 {"stram", stram_read_proc},
8568 {"filesystems", filesystems_read_proc},
8569 +#ifndef CONFIG_GRKERNSEC_PROC_ADD
8570 {"cmdline", cmdline_read_proc},
8572 {"locks", locks_read_proc},
8573 {"execdomains", execdomains_read_proc},
8575 @@ -674,31 +678,49 @@ void __init proc_misc_init(void)
8576 for (p = simple_ones; p->name; p++)
8577 create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
8579 +#ifdef CONFIG_GRKERNSEC_PROC_USER
8580 + gr_mode = S_IRUSR;
8581 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8582 + gr_mode = S_IRUSR | S_IRGRP;
8584 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
8585 + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
8588 proc_symlink("mounts", NULL, "self/mounts");
8590 /* And now for trickier ones */
8591 entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
8593 entry->proc_fops = &proc_kmsg_operations;
8595 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
8596 + create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
8598 create_seq_entry("devices", 0, &proc_devinfo_operations);
8600 create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
8601 create_seq_entry("partitions", 0, &proc_partitions_operations);
8602 create_seq_entry("stat", 0, &proc_stat_operations);
8603 create_seq_entry("interrupts", 0, &proc_interrupts_operations);
8605 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
8606 + create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
8608 create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
8611 create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
8612 create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
8613 create_seq_entry("zoneinfo",S_IRUGO, &proc_zoneinfo_file_operations);
8614 create_seq_entry("diskstats", 0, &proc_diskstats_operations);
8615 #ifdef CONFIG_MODULES
8616 - create_seq_entry("modules", 0, &proc_modules_operations);
8617 + create_seq_entry("modules", gr_mode, &proc_modules_operations);
8619 #ifdef CONFIG_SCHEDSTATS
8620 create_seq_entry("schedstat", 0, &proc_schedstat_operations);
8622 -#ifdef CONFIG_PROC_KCORE
8623 +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
8624 proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
8625 if (proc_root_kcore) {
8626 proc_root_kcore->proc_fops = &proc_kcore_operations;
8627 diff -urNp linux-2.6.16.12/fs/proc/root.c linux-2.6.16.12/fs/proc/root.c
8628 --- linux-2.6.16.12/fs/proc/root.c 2006-05-01 15:14:26.000000000 -0400
8629 +++ linux-2.6.16.12/fs/proc/root.c 2006-05-01 20:17:33.000000000 -0400
8630 @@ -56,7 +56,13 @@ void __init proc_root_init(void)
8634 +#ifdef CONFIG_GRKERNSEC_PROC_USER
8635 + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
8636 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8637 + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
8639 proc_net = proc_mkdir("net", NULL);
8641 proc_net_stat = proc_mkdir("net/stat", NULL);
8643 #ifdef CONFIG_SYSVIPC
8644 @@ -80,7 +86,15 @@ void __init proc_root_init(void)
8645 #ifdef CONFIG_PROC_DEVICETREE
8646 proc_device_tree_init();
8648 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
8649 +#ifdef CONFIG_GRKERNSEC_PROC_USER
8650 + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
8651 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
8652 + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
8655 proc_bus = proc_mkdir("bus", NULL);
8660 diff -urNp linux-2.6.16.12/fs/proc/task_mmu.c linux-2.6.16.12/fs/proc/task_mmu.c
8661 --- linux-2.6.16.12/fs/proc/task_mmu.c 2006-05-01 15:14:26.000000000 -0400
8662 +++ linux-2.6.16.12/fs/proc/task_mmu.c 2006-05-01 20:17:33.000000000 -0400
8663 @@ -43,15 +43,27 @@ char *task_mem(struct mm_struct *mm, cha
8667 - "VmPTE:\t%8lu kB\n",
8668 - hiwater_vm << (PAGE_SHIFT-10),
8669 + "VmPTE:\t%8lu kB\n"
8671 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
8672 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
8675 + ,hiwater_vm << (PAGE_SHIFT-10),
8676 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
8677 mm->locked_vm << (PAGE_SHIFT-10),
8678 hiwater_rss << (PAGE_SHIFT-10),
8679 total_rss << (PAGE_SHIFT-10),
8680 data << (PAGE_SHIFT-10),
8681 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
8682 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
8683 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
8685 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
8686 + , mm->context.user_cs_base, mm->context.user_cs_limit
8694 @@ -118,6 +130,12 @@ struct mem_size_stats
8695 unsigned long private_dirty;
8698 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8699 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
8700 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
8701 + _mm->pax_flags & MF_PAX_SEGMEXEC))
8704 static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
8706 struct task_struct *task = m->private;
8707 @@ -136,13 +154,30 @@ static int show_map_internal(struct seq_
8710 seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
8711 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8712 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
8713 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
8720 + flags & VM_MAYREAD ? flags & VM_READ ? 'R' : '+' : flags & VM_READ ? 'r' : '-',
8721 + flags & VM_MAYWRITE ? flags & VM_WRITE ? 'W' : '+' : flags & VM_WRITE ? 'w' : '-',
8722 + flags & VM_MAYEXEC ? flags & VM_EXEC ? 'X' : '+' : flags & VM_EXEC ? 'x' : '-',
8724 flags & VM_READ ? 'r' : '-',
8725 flags & VM_WRITE ? 'w' : '-',
8726 flags & VM_EXEC ? 'x' : '-',
8729 flags & VM_MAYSHARE ? 's' : 'p',
8730 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8731 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
8733 vma->vm_pgoff << PAGE_SHIFT,
8735 MAJOR(dev), MINOR(dev), ino, &len);
8738 @@ -154,13 +189,13 @@ static int show_map_internal(struct seq_
8739 seq_path(m, file->f_vfsmnt, file->f_dentry, "\n");
8742 - if (vma->vm_start <= mm->start_brk &&
8743 - vma->vm_end >= mm->brk) {
8744 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
8745 pad_len_spaces(m, len);
8746 seq_puts(m, "[heap]");
8748 - if (vma->vm_start <= mm->start_stack &&
8749 - vma->vm_end >= mm->start_stack) {
8750 + if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
8751 + (vma->vm_start <= mm->start_stack &&
8752 + vma->vm_end >= mm->start_stack)) {
8754 pad_len_spaces(m, len);
8755 seq_puts(m, "[stack]");
8756 @@ -173,7 +208,25 @@ static int show_map_internal(struct seq_
8763 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
8764 + if (PAX_RAND_FLAGS(mm))
8768 + "Shared_Clean: %8lu kB\n"
8769 + "Shared_Dirty: %8lu kB\n"
8770 + "Private_Clean: %8lu kB\n"
8771 + "Private_Dirty: %8lu kB\n",
8783 @@ -187,6 +240,7 @@ static int show_map_internal(struct seq_
8784 mss->shared_dirty >> 10,
8785 mss->private_clean >> 10,
8786 mss->private_dirty >> 10);
8789 if (m->count < m->size) /* vma is copied successfully */
8790 m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
8791 diff -urNp linux-2.6.16.12/fs/readdir.c linux-2.6.16.12/fs/readdir.c
8792 --- linux-2.6.16.12/fs/readdir.c 2006-05-01 15:14:26.000000000 -0400
8793 +++ linux-2.6.16.12/fs/readdir.c 2006-05-01 20:17:33.000000000 -0400
8795 #include <linux/security.h>
8796 #include <linux/syscalls.h>
8797 #include <linux/unistd.h>
8798 +#include <linux/namei.h>
8799 +#include <linux/grsecurity.h>
8801 #include <asm/uaccess.h>
8803 @@ -65,6 +67,7 @@ struct old_linux_dirent {
8805 struct readdir_callback {
8806 struct old_linux_dirent __user * dirent;
8807 + struct file * file;
8811 @@ -76,6 +79,10 @@ static int fillonedir(void * __buf, cons
8816 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
8820 dirent = buf->dirent;
8821 if (!access_ok(VERIFY_WRITE, dirent,
8822 @@ -107,6 +114,7 @@ asmlinkage long old_readdir(unsigned int
8825 buf.dirent = dirent;
8828 error = vfs_readdir(file, fillonedir, &buf);
8830 @@ -133,6 +141,7 @@ struct linux_dirent {
8831 struct getdents_callback {
8832 struct linux_dirent __user * current_dir;
8833 struct linux_dirent __user * previous;
8834 + struct file * file;
8838 @@ -147,6 +156,10 @@ static int filldir(void * __buf, const c
8839 buf->error = -EINVAL; /* only used if we fail.. */
8840 if (reclen > buf->count)
8843 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
8846 dirent = buf->previous;
8848 if (__put_user(offset, &dirent->d_off))
8849 @@ -191,6 +204,7 @@ asmlinkage long sys_getdents(unsigned in
8851 buf.current_dir = dirent;
8852 buf.previous = NULL;
8857 @@ -217,6 +231,7 @@ out:
8858 struct getdents_callback64 {
8859 struct linux_dirent64 __user * current_dir;
8860 struct linux_dirent64 __user * previous;
8861 + struct file * file;
8865 @@ -231,6 +246,10 @@ static int filldir64(void * __buf, const
8866 buf->error = -EINVAL; /* only used if we fail.. */
8867 if (reclen > buf->count)
8870 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
8873 dirent = buf->previous;
8875 if (__put_user(offset, &dirent->d_off))
8876 @@ -277,6 +296,7 @@ asmlinkage long sys_getdents64(unsigned
8878 buf.current_dir = dirent;
8879 buf.previous = NULL;
8884 diff -urNp linux-2.6.16.12/fs/xfs/linux-2.6/xfs_file.c linux-2.6.16.12/fs/xfs/linux-2.6/xfs_file.c
8885 --- linux-2.6.16.12/fs/xfs/linux-2.6/xfs_file.c 2006-05-01 15:14:26.000000000 -0400
8886 +++ linux-2.6.16.12/fs/xfs/linux-2.6/xfs_file.c 2006-05-01 20:17:33.000000000 -0400
8887 @@ -413,6 +413,11 @@ linvfs_file_mmap(
8888 vattr_t va = { .va_mask = XFS_AT_UPDATIME };
8891 +#ifdef CONFIG_PAX_PAGEEXEC
8892 + if (vma->vm_mm->pax_flags & MF_PAX_PAGEEXEC)
8893 + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
8896 vma->vm_ops = &linvfs_file_vm_ops;
8898 #ifdef CONFIG_XFS_DMAPI
8899 diff -urNp linux-2.6.16.12/grsecurity/gracl_alloc.c linux-2.6.16.12/grsecurity/gracl_alloc.c
8900 --- linux-2.6.16.12/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
8901 +++ linux-2.6.16.12/grsecurity/gracl_alloc.c 2006-05-01 20:17:33.000000000 -0400
8903 +#include <linux/kernel.h>
8904 +#include <linux/mm.h>
8905 +#include <linux/slab.h>
8906 +#include <linux/vmalloc.h>
8907 +#include <linux/gracl.h>
8908 +#include <linux/grsecurity.h>
8910 +static unsigned long alloc_stack_next = 1;
8911 +static unsigned long alloc_stack_size = 1;
8912 +static void **alloc_stack;
8914 +static __inline__ int
8917 + if (alloc_stack_next == 1)
8920 + kfree(alloc_stack[alloc_stack_next - 2]);
8922 + alloc_stack_next--;
8927 +static __inline__ void
8928 +alloc_push(void *buf)
8930 + if (alloc_stack_next >= alloc_stack_size)
8933 + alloc_stack[alloc_stack_next - 1] = buf;
8935 + alloc_stack_next++;
8941 +acl_alloc(unsigned long len)
8945 + if (len > PAGE_SIZE)
8948 + ret = kmalloc(len, GFP_KERNEL);
8959 + if (gr_acl_is_enabled() || !alloc_stack)
8962 + while (alloc_pop()) ;
8964 + if (alloc_stack) {
8965 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
8966 + kfree(alloc_stack);
8968 + vfree(alloc_stack);
8971 + alloc_stack = NULL;
8972 + alloc_stack_size = 1;
8973 + alloc_stack_next = 1;
8979 +acl_alloc_stack_init(unsigned long size)
8981 + if ((size * sizeof (void *)) <= PAGE_SIZE)
8983 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
8985 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
8987 + alloc_stack_size = size;
8994 diff -urNp linux-2.6.16.12/grsecurity/gracl.c linux-2.6.16.12/grsecurity/gracl.c
8995 --- linux-2.6.16.12/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
8996 +++ linux-2.6.16.12/grsecurity/gracl.c 2006-05-01 20:17:33.000000000 -0400
8998 +#include <linux/kernel.h>
8999 +#include <linux/module.h>
9000 +#include <linux/sched.h>
9001 +#include <linux/mm.h>
9002 +#include <linux/file.h>
9003 +#include <linux/fs.h>
9004 +#include <linux/namei.h>
9005 +#include <linux/mount.h>
9006 +#include <linux/tty.h>
9007 +#include <linux/proc_fs.h>
9008 +#include <linux/smp_lock.h>
9009 +#include <linux/slab.h>
9010 +#include <linux/vmalloc.h>
9011 +#include <linux/types.h>
9012 +#include <linux/capability.h>
9013 +#include <linux/sysctl.h>
9014 +#include <linux/netdevice.h>
9015 +#include <linux/ptrace.h>
9016 +#include <linux/gracl.h>
9017 +#include <linux/gralloc.h>
9018 +#include <linux/grsecurity.h>
9019 +#include <linux/grinternal.h>
9020 +#include <linux/percpu.h>
9022 +#include <asm/uaccess.h>
9023 +#include <asm/errno.h>
9024 +#include <asm/mman.h>
9026 +static struct acl_role_db acl_role_set;
9027 +static struct name_db name_set;
9028 +static struct inodev_db inodev_set;
9030 +/* for keeping track of userspace pointers used for subjects, so we
9031 + can share references in the kernel as well
9034 +static struct dentry *real_root;
9035 +static struct vfsmount *real_root_mnt;
9037 +static struct acl_subj_map_db subj_map_set;
9039 +static struct acl_role_label *default_role;
9041 +static u16 acl_sp_role_value;
9043 +extern char *gr_shared_page[4];
9044 +static DECLARE_MUTEX(gr_dev_sem);
9045 +rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
9047 +struct gr_arg *gr_usermode;
9049 +static unsigned int gr_status = GR_STATUS_INIT;
9051 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
9052 +extern void gr_clear_learn_entries(void);
9054 +#ifdef CONFIG_GRKERNSEC_RESLOG
9055 +extern void gr_log_resource(const struct task_struct *task,
9056 + const int res, const unsigned long wanted, const int gt);
9059 +extern char * __d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
9060 + struct dentry *root, struct vfsmount *rootmnt,
9061 + char *buffer, int buflen);
9063 +unsigned char *gr_system_salt;
9064 +unsigned char *gr_system_sum;
9066 +static struct sprole_pw **acl_special_roles = NULL;
9067 +static __u16 num_sprole_pws = 0;
9069 +static struct acl_role_label *kernel_role = NULL;
9071 +static unsigned int gr_auth_attempts = 0;
9072 +static unsigned long gr_auth_expires = 0UL;
9074 +extern int gr_init_uidset(void);
9075 +extern void gr_free_uidset(void);
9076 +extern void gr_remove_uid(uid_t uid);
9077 +extern int gr_find_uid(uid_t uid);
9080 +gr_acl_is_enabled(void)
9082 + return (gr_status & GR_READY);
9085 +char gr_roletype_to_char(void)
9087 + switch (current->role->roletype &
9088 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
9089 + GR_ROLE_SPECIAL)) {
9090 + case GR_ROLE_DEFAULT:
9092 + case GR_ROLE_USER:
9094 + case GR_ROLE_GROUP:
9096 + case GR_ROLE_SPECIAL:
9104 +gr_acl_tpe_check(void)
9106 + if (unlikely(!(gr_status & GR_READY)))
9108 + if (current->role->roletype & GR_ROLE_TPE)
9115 +gr_handle_rawio(const struct inode *inode)
9117 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
9118 + if (inode && S_ISBLK(inode->i_mode) &&
9119 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
9120 + !capable(CAP_SYS_RAWIO))
9127 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
9130 + unsigned long *l1;
9131 + unsigned long *l2;
9132 + unsigned char *c1;
9133 + unsigned char *c2;
9136 + if (likely(lena != lenb))
9139 + l1 = (unsigned long *)a;
9140 + l2 = (unsigned long *)b;
9142 + num_longs = lena / sizeof(unsigned long);
9144 + for (i = num_longs; i--; l1++, l2++) {
9145 + if (unlikely(*l1 != *l2))
9149 + c1 = (unsigned char *) l1;
9150 + c2 = (unsigned char *) l2;
9152 + i = lena - (num_longs * sizeof(unsigned long));
9154 + for (; i--; c1++, c2++) {
9155 + if (unlikely(*c1 != *c2))
9163 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
9164 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
9166 + char *end = buf + buflen;
9175 + if (dentry == root && vfsmnt == rootmnt)
9177 + if (dentry != vfsmnt->mnt_root && !IS_ROOT(dentry)) {
9178 + namelen = strlen(dentry->d_name.name);
9179 + buflen -= namelen;
9182 + if (dentry->d_parent != root || vfsmnt != rootmnt)
9186 + retval = __d_path(dentry->d_parent, vfsmnt, root, rootmnt, buf, buflen);
9187 + if (unlikely(IS_ERR(retval)))
9189 + retval = strcpy(buf, "<path too long>");
9190 + else if (namelen != 0) {
9191 + end = buf + buflen - 1; // accounts for null termination
9192 + if (dentry->d_parent != root || vfsmnt != rootmnt)
9193 + *end++ = '/'; // accounted for above with buflen--
9194 + memcpy(end, dentry->d_name.name, namelen);
9201 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
9202 + char *buf, int buflen)
9206 + /* we can use real_root, real_root_mnt, because this is only called
9207 + by the RBAC system */
9208 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
9214 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
9215 + char *buf, int buflen)
9218 + struct dentry *root;
9219 + struct vfsmount *rootmnt;
9221 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
9222 + read_lock(&child_reaper->fs->lock);
9223 + root = dget(child_reaper->fs->root);
9224 + rootmnt = mntget(child_reaper->fs->rootmnt);
9225 + read_unlock(&child_reaper->fs->lock);
9227 + spin_lock(&dcache_lock);
9228 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
9229 + spin_unlock(&dcache_lock);
9237 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
9240 + spin_lock(&dcache_lock);
9241 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
9243 + spin_unlock(&dcache_lock);
9248 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
9250 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
9255 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
9257 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
9262 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
9264 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
9269 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
9271 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
9276 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
9278 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
9283 +to_gr_audit(const __u32 reqmode)
9285 + /* masks off auditable permission flags, then shifts them to create
9286 + auditing flags, and adds the special case of append auditing if
9287 + we're requesting write */
9288 + return (((reqmode & GR_AUDIT_READ) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
9291 +struct acl_subject_label *
9292 +lookup_subject_map(const struct acl_subject_label *userp)
9294 + unsigned int index = shash(userp, subj_map_set.s_size);
9295 + struct subject_map *match;
9297 + match = subj_map_set.s_hash[index];
9299 + while (match && match->user != userp)
9300 + match = match->next;
9302 + if (match != NULL)
9303 + return match->kernel;
9309 +insert_subj_map_entry(struct subject_map *subjmap)
9311 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
9312 + struct subject_map **curr;
9314 + subjmap->prev = NULL;
9316 + curr = &subj_map_set.s_hash[index];
9317 + if (*curr != NULL)
9318 + (*curr)->prev = subjmap;
9320 + subjmap->next = *curr;
9326 +static struct acl_role_label *
9327 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
9330 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
9331 + struct acl_role_label *match;
9332 + struct role_allowed_ip *ipp;
9335 + match = acl_role_set.r_hash[index];
9338 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
9339 + for (x = 0; x < match->domain_child_num; x++) {
9340 + if (match->domain_children[x] == uid)
9343 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
9345 + match = match->next;
9348 + if (match == NULL) {
9350 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
9351 + match = acl_role_set.r_hash[index];
9354 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
9355 + for (x = 0; x < match->domain_child_num; x++) {
9356 + if (match->domain_children[x] == gid)
9359 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
9361 + match = match->next;
9364 + if (match == NULL)
9365 + match = default_role;
9366 + if (match->allowed_ips == NULL)
9369 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
9371 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
9372 + (ntohl(ipp->addr) & ipp->netmask)))
9375 + match = default_role;
9377 + } else if (match->allowed_ips == NULL) {
9380 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
9382 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
9383 + (ntohl(ipp->addr) & ipp->netmask)))
9392 +struct acl_subject_label *
9393 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
9394 + const struct acl_role_label *role)
9396 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
9397 + struct acl_subject_label *match;
9399 + match = role->subj_hash[index];
9401 + while (match && (match->inode != ino || match->device != dev ||
9402 + (match->mode & GR_DELETED))) {
9403 + match = match->next;
9406 + if (match && !(match->mode & GR_DELETED))
9412 +static struct acl_object_label *
9413 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
9414 + const struct acl_subject_label *subj)
9416 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
9417 + struct acl_object_label *match;
9419 + match = subj->obj_hash[index];
9421 + while (match && (match->inode != ino || match->device != dev ||
9422 + (match->mode & GR_DELETED))) {
9423 + match = match->next;
9426 + if (match && !(match->mode & GR_DELETED))
9432 +static struct acl_object_label *
9433 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
9434 + const struct acl_subject_label *subj)
9436 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
9437 + struct acl_object_label *match;
9439 + match = subj->obj_hash[index];
9441 + while (match && (match->inode != ino || match->device != dev ||
9442 + !(match->mode & GR_DELETED))) {
9443 + match = match->next;
9446 + if (match && (match->mode & GR_DELETED))
9449 + match = subj->obj_hash[index];
9451 + while (match && (match->inode != ino || match->device != dev ||
9452 + (match->mode & GR_DELETED))) {
9453 + match = match->next;
9456 + if (match && !(match->mode & GR_DELETED))
9462 +static struct name_entry *
9463 +lookup_name_entry(const char *name)
9465 + unsigned int len = strlen(name);
9466 + unsigned int key = full_name_hash(name, len);
9467 + unsigned int index = key % name_set.n_size;
9468 + struct name_entry *match;
9470 + match = name_set.n_hash[index];
9472 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
9473 + match = match->next;
9478 +static struct inodev_entry *
9479 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
9481 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
9482 + struct inodev_entry *match;
9484 + match = inodev_set.i_hash[index];
9486 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
9487 + match = match->next;
9493 +insert_inodev_entry(struct inodev_entry *entry)
9495 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
9496 + inodev_set.i_size);
9497 + struct inodev_entry **curr;
9499 + entry->prev = NULL;
9501 + curr = &inodev_set.i_hash[index];
9502 + if (*curr != NULL)
9503 + (*curr)->prev = entry;
9505 + entry->next = *curr;
9512 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
9514 + unsigned int index =
9515 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
9516 + struct acl_role_label **curr;
9518 + role->prev = NULL;
9520 + curr = &acl_role_set.r_hash[index];
9521 + if (*curr != NULL)
9522 + (*curr)->prev = role;
9524 + role->next = *curr;
9531 +insert_acl_role_label(struct acl_role_label *role)
9535 + if (role->roletype & GR_ROLE_DOMAIN) {
9536 + for (i = 0; i < role->domain_child_num; i++)
9537 + __insert_acl_role_label(role, role->domain_children[i]);
9539 + __insert_acl_role_label(role, role->uidgid);
9543 +insert_name_entry(char *name, const ino_t inode, const dev_t device)
9545 + struct name_entry **curr, *nentry;
9546 + struct inodev_entry *ientry;
9547 + unsigned int len = strlen(name);
9548 + unsigned int key = full_name_hash(name, len);
9549 + unsigned int index = key % name_set.n_size;
9551 + curr = &name_set.n_hash[index];
9553 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
9554 + curr = &((*curr)->next);
9556 + if (*curr != NULL)
9559 + nentry = acl_alloc(sizeof (struct name_entry));
9560 + if (nentry == NULL)
9562 + ientry = acl_alloc(sizeof (struct inodev_entry));
9563 + if (ientry == NULL)
9565 + ientry->nentry = nentry;
9567 + nentry->key = key;
9568 + nentry->name = name;
9569 + nentry->inode = inode;
9570 + nentry->device = device;
9571 + nentry->len = len;
9573 + nentry->prev = NULL;
9574 + curr = &name_set.n_hash[index];
9575 + if (*curr != NULL)
9576 + (*curr)->prev = nentry;
9577 + nentry->next = *curr;
9580 + /* insert us into the table searchable by inode/dev */
9581 + insert_inodev_entry(ientry);
9587 +insert_acl_obj_label(struct acl_object_label *obj,
9588 + struct acl_subject_label *subj)
9590 + unsigned int index =
9591 + fhash(obj->inode, obj->device, subj->obj_hash_size);
9592 + struct acl_object_label **curr;
9597 + curr = &subj->obj_hash[index];
9598 + if (*curr != NULL)
9599 + (*curr)->prev = obj;
9601 + obj->next = *curr;
9608 +insert_acl_subj_label(struct acl_subject_label *obj,
9609 + struct acl_role_label *role)
9611 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
9612 + struct acl_subject_label **curr;
9616 + curr = &role->subj_hash[index];
9617 + if (*curr != NULL)
9618 + (*curr)->prev = obj;
9620 + obj->next = *curr;
9626 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
9629 +create_table(__u32 * len, int elementsize)
9631 + unsigned int table_sizes[] = {
9632 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
9633 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
9634 + 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
9635 + 268435399, 536870909, 1073741789, 2147483647
9637 + void *newtable = NULL;
9638 + unsigned int pwr = 0;
9640 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
9641 + table_sizes[pwr] <= *len)
9644 + if (table_sizes[pwr] <= *len)
9647 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
9649 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
9651 + newtable = vmalloc(table_sizes[pwr] * elementsize);
9653 + *len = table_sizes[pwr];
9659 +init_variables(const struct gr_arg *arg)
9661 + unsigned int stacksize;
9663 + subj_map_set.s_size = arg->role_db.num_subjects;
9664 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
9665 + name_set.n_size = arg->role_db.num_objects;
9666 + inodev_set.i_size = arg->role_db.num_objects;
9668 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
9669 + !name_set.n_size || !inodev_set.i_size)
9672 + if (!gr_init_uidset())
9675 + /* set up the stack that holds allocation info */
9677 + stacksize = arg->role_db.num_pointers + 5;
9679 + if (!acl_alloc_stack_init(stacksize))
9682 + /* grab reference for the real root dentry and vfsmount */
9683 + read_lock(&child_reaper->fs->lock);
9684 + real_root_mnt = mntget(child_reaper->fs->rootmnt);
9685 + real_root = dget(child_reaper->fs->root);
9686 + read_unlock(&child_reaper->fs->lock);
9689 + subj_map_set.s_hash =
9690 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
9691 + acl_role_set.r_hash =
9692 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
9693 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
9694 + inodev_set.i_hash =
9695 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
9697 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
9698 + !name_set.n_hash || !inodev_set.i_hash)
9701 + memset(subj_map_set.s_hash, 0,
9702 + sizeof(struct subject_map *) * subj_map_set.s_size);
9703 + memset(acl_role_set.r_hash, 0,
9704 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
9705 + memset(name_set.n_hash, 0,
9706 + sizeof (struct name_entry *) * name_set.n_size);
9707 + memset(inodev_set.i_hash, 0,
9708 + sizeof (struct inodev_entry *) * inodev_set.i_size);
9713 +/* free information not needed after startup
9714 + currently contains user->kernel pointer mappings for subjects
9718 +free_init_variables(void)
9722 + if (subj_map_set.s_hash) {
9723 + for (i = 0; i < subj_map_set.s_size; i++) {
9724 + if (subj_map_set.s_hash[i]) {
9725 + kfree(subj_map_set.s_hash[i]);
9726 + subj_map_set.s_hash[i] = NULL;
9730 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
9732 + kfree(subj_map_set.s_hash);
9734 + vfree(subj_map_set.s_hash);
9741 +free_variables(void)
9743 + struct acl_subject_label *s;
9744 + struct acl_role_label *r;
9745 + struct task_struct *task, *task2;
9746 + unsigned int i, x;
9748 + gr_clear_learn_entries();
9750 + read_lock(&tasklist_lock);
9751 + do_each_thread(task2, task) {
9752 + task->acl_sp_role = 0;
9753 + task->acl_role_id = 0;
9755 + task->role = NULL;
9756 + } while_each_thread(task2, task);
9757 + read_unlock(&tasklist_lock);
9759 + /* release the reference to the real root dentry and vfsmount */
9763 + if (real_root_mnt)
9764 + mntput(real_root_mnt);
9765 + real_root_mnt = NULL;
9767 + /* free all object hash tables */
9769 + FOR_EACH_ROLE_START(r, i)
9770 + if (r->subj_hash == NULL)
9772 + FOR_EACH_SUBJECT_START(r, s, x)
9773 + if (s->obj_hash == NULL)
9775 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
9776 + kfree(s->obj_hash);
9778 + vfree(s->obj_hash);
9779 + FOR_EACH_SUBJECT_END(s, x)
9780 + FOR_EACH_NESTED_SUBJECT_START(r, s)
9781 + if (s->obj_hash == NULL)
9783 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
9784 + kfree(s->obj_hash);
9786 + vfree(s->obj_hash);
9787 + FOR_EACH_NESTED_SUBJECT_END(s)
9788 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
9789 + kfree(r->subj_hash);
9791 + vfree(r->subj_hash);
9792 + r->subj_hash = NULL;
9793 + FOR_EACH_ROLE_END(r,i)
9797 + if (acl_role_set.r_hash) {
9798 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
9800 + kfree(acl_role_set.r_hash);
9802 + vfree(acl_role_set.r_hash);
9804 + if (name_set.n_hash) {
9805 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
9807 + kfree(name_set.n_hash);
9809 + vfree(name_set.n_hash);
9812 + if (inodev_set.i_hash) {
9813 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
9815 + kfree(inodev_set.i_hash);
9817 + vfree(inodev_set.i_hash);
9822 + memset(&name_set, 0, sizeof (struct name_db));
9823 + memset(&inodev_set, 0, sizeof (struct inodev_db));
9824 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
9825 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
9827 + default_role = NULL;
9833 +count_user_objs(struct acl_object_label *userp)
9835 + struct acl_object_label o_tmp;
9839 + if (copy_from_user(&o_tmp, userp,
9840 + sizeof (struct acl_object_label)))
9843 + userp = o_tmp.prev;
9850 +static struct acl_subject_label *
9851 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
9854 +copy_user_glob(struct acl_object_label *obj)
9856 + struct acl_object_label *g_tmp, **guser;
9860 + if (obj->globbed == NULL)
9863 + guser = &obj->globbed;
9865 + g_tmp = (struct acl_object_label *)
9866 + acl_alloc(sizeof (struct acl_object_label));
9867 + if (g_tmp == NULL)
9870 + if (copy_from_user(g_tmp, *guser,
9871 + sizeof (struct acl_object_label)))
9874 + len = strnlen_user(g_tmp->filename, PATH_MAX);
9876 + if (!len || len >= PATH_MAX)
9879 + if ((tmp = (char *) acl_alloc(len)) == NULL)
9882 + if (copy_from_user(tmp, g_tmp->filename, len))
9885 + g_tmp->filename = tmp;
9888 + guser = &(g_tmp->next);
9895 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
9896 + struct acl_role_label *role)
9898 + struct acl_object_label *o_tmp;
9904 + if ((o_tmp = (struct acl_object_label *)
9905 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
9908 + if (copy_from_user(o_tmp, userp,
9909 + sizeof (struct acl_object_label)))
9912 + userp = o_tmp->prev;
9914 + len = strnlen_user(o_tmp->filename, PATH_MAX);
9916 + if (!len || len >= PATH_MAX)
9919 + if ((tmp = (char *) acl_alloc(len)) == NULL)
9922 + if (copy_from_user(tmp, o_tmp->filename, len))
9925 + o_tmp->filename = tmp;
9927 + insert_acl_obj_label(o_tmp, subj);
9928 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
9932 + ret = copy_user_glob(o_tmp);
9936 + if (o_tmp->nested) {
9937 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
9938 + if (IS_ERR(o_tmp->nested))
9939 + return PTR_ERR(o_tmp->nested);
9941 + /* insert into nested subject list */
9942 + o_tmp->nested->next = role->hash->first;
9943 + role->hash->first = o_tmp->nested;
9951 +count_user_subjs(struct acl_subject_label *userp)
9953 + struct acl_subject_label s_tmp;
9957 + if (copy_from_user(&s_tmp, userp,
9958 + sizeof (struct acl_subject_label)))
9961 + userp = s_tmp.prev;
9962 + /* do not count nested subjects against this count, since
9963 + they are not included in the hash table, but are
9964 + attached to objects. We have already counted
9965 + the subjects in userspace for the allocation
9968 + if (!(s_tmp.mode & GR_NESTED))
9976 +copy_user_allowedips(struct acl_role_label *rolep)
9978 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
9980 + ruserip = rolep->allowed_ips;
9985 + if ((rtmp = (struct role_allowed_ip *)
9986 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
9989 + if (copy_from_user(rtmp, ruserip,
9990 + sizeof (struct role_allowed_ip)))
9993 + ruserip = rtmp->prev;
9996 + rtmp->prev = NULL;
9997 + rolep->allowed_ips = rtmp;
9999 + rlast->next = rtmp;
10000 + rtmp->prev = rlast;
10004 + rtmp->next = NULL;
10011 +copy_user_transitions(struct acl_role_label *rolep)
10013 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
10015 + unsigned int len;
10018 + rusertp = rolep->transitions;
10020 + while (rusertp) {
10023 + if ((rtmp = (struct role_transition *)
10024 + acl_alloc(sizeof (struct role_transition))) == NULL)
10027 + if (copy_from_user(rtmp, rusertp,
10028 + sizeof (struct role_transition)))
10031 + rusertp = rtmp->prev;
10033 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
10035 + if (!len || len >= GR_SPROLE_LEN)
10038 + if ((tmp = (char *) acl_alloc(len)) == NULL)
10041 + if (copy_from_user(tmp, rtmp->rolename, len))
10044 + rtmp->rolename = tmp;
10047 + rtmp->prev = NULL;
10048 + rolep->transitions = rtmp;
10050 + rlast->next = rtmp;
10051 + rtmp->prev = rlast;
10055 + rtmp->next = NULL;
10061 +static struct acl_subject_label *
10062 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
10064 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
10065 + unsigned int len;
10068 + struct acl_ip_label **i_tmp, *i_utmp2;
10069 + struct gr_hash_struct ghash;
10070 + struct subject_map *subjmap;
10071 + unsigned int i_num;
10074 + s_tmp = lookup_subject_map(userp);
10076 + /* we've already copied this subject into the kernel, just return
10077 + the reference to it, and don't copy it over again
10082 + if ((s_tmp = (struct acl_subject_label *)
10083 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
10084 + return ERR_PTR(-ENOMEM);
10086 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
10087 + if (subjmap == NULL)
10088 + return ERR_PTR(-ENOMEM);
10090 + subjmap->user = userp;
10091 + subjmap->kernel = s_tmp;
10092 + insert_subj_map_entry(subjmap);
10094 + if (copy_from_user(s_tmp, userp,
10095 + sizeof (struct acl_subject_label)))
10096 + return ERR_PTR(-EFAULT);
10098 + len = strnlen_user(s_tmp->filename, PATH_MAX);
10100 + if (!len || len >= PATH_MAX)
10101 + return ERR_PTR(-EINVAL);
10103 + if ((tmp = (char *) acl_alloc(len)) == NULL)
10104 + return ERR_PTR(-ENOMEM);
10106 + if (copy_from_user(tmp, s_tmp->filename, len))
10107 + return ERR_PTR(-EFAULT);
10109 + s_tmp->filename = tmp;
10111 + if (!strcmp(s_tmp->filename, "/"))
10112 + role->root_label = s_tmp;
10114 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
10115 + return ERR_PTR(-EFAULT);
10117 + /* copy user and group transition tables */
10119 + if (s_tmp->user_trans_num) {
10122 + uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
10123 + if (uidlist == NULL)
10124 + return ERR_PTR(-ENOMEM);
10125 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
10126 + return ERR_PTR(-EFAULT);
10128 + s_tmp->user_transitions = uidlist;
10131 + if (s_tmp->group_trans_num) {
10134 + gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
10135 + if (gidlist == NULL)
10136 + return ERR_PTR(-ENOMEM);
10137 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
10138 + return ERR_PTR(-EFAULT);
10140 + s_tmp->group_transitions = gidlist;
10143 + /* set up object hash table */
10144 + num_objs = count_user_objs(ghash.first);
10146 + s_tmp->obj_hash_size = num_objs;
10147 + s_tmp->obj_hash =
10148 + (struct acl_object_label **)
10149 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
10151 + if (!s_tmp->obj_hash)
10152 + return ERR_PTR(-ENOMEM);
10154 + memset(s_tmp->obj_hash, 0,
10155 + s_tmp->obj_hash_size *
10156 + sizeof (struct acl_object_label *));
10158 + /* add in objects */
10159 + err = copy_user_objs(ghash.first, s_tmp, role);
10162 + return ERR_PTR(err);
10164 + /* set pointer for parent subject */
10165 + if (s_tmp->parent_subject) {
10166 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
10168 + if (IS_ERR(s_tmp2))
10171 + s_tmp->parent_subject = s_tmp2;
10174 + /* add in ip acls */
10176 + if (!s_tmp->ip_num) {
10177 + s_tmp->ips = NULL;
10182 + (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
10184 + acl_ip_label *));
10187 + return ERR_PTR(-ENOMEM);
10189 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
10190 + *(i_tmp + i_num) =
10191 + (struct acl_ip_label *)
10192 + acl_alloc(sizeof (struct acl_ip_label));
10193 + if (!*(i_tmp + i_num))
10194 + return ERR_PTR(-ENOMEM);
10196 + if (copy_from_user
10197 + (&i_utmp2, s_tmp->ips + i_num,
10198 + sizeof (struct acl_ip_label *)))
10199 + return ERR_PTR(-EFAULT);
10201 + if (copy_from_user
10202 + (*(i_tmp + i_num), i_utmp2,
10203 + sizeof (struct acl_ip_label)))
10204 + return ERR_PTR(-EFAULT);
10206 + if ((*(i_tmp + i_num))->iface == NULL)
10209 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
10210 + if (!len || len >= IFNAMSIZ)
10211 + return ERR_PTR(-EINVAL);
10212 + tmp = acl_alloc(len);
10214 + return ERR_PTR(-ENOMEM);
10215 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
10216 + return ERR_PTR(-EFAULT);
10217 + (*(i_tmp + i_num))->iface = tmp;
10220 + s_tmp->ips = i_tmp;
10223 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
10225 + return ERR_PTR(-ENOMEM);
10231 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
10233 + struct acl_subject_label s_pre;
10234 + struct acl_subject_label * ret;
10238 + if (copy_from_user(&s_pre, userp,
10239 + sizeof (struct acl_subject_label)))
10242 + /* do not add nested subjects here, add
10243 + while parsing objects
10246 + if (s_pre.mode & GR_NESTED) {
10247 + userp = s_pre.prev;
10251 + ret = do_copy_user_subj(userp, role);
10253 + err = PTR_ERR(ret);
10257 + insert_acl_subj_label(ret, role);
10259 + userp = s_pre.prev;
10266 +copy_user_acl(struct gr_arg *arg)
10268 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
10269 + struct sprole_pw *sptmp;
10270 + struct gr_hash_struct *ghash;
10271 + uid_t *domainlist;
10272 + unsigned int r_num;
10273 + unsigned int len;
10279 + /* we need a default and kernel role */
10280 + if (arg->role_db.num_roles < 2)
10283 + /* copy special role authentication info from userspace */
10285 + num_sprole_pws = arg->num_sprole_pws;
10286 + acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
10288 + if (!acl_special_roles) {
10293 + for (i = 0; i < num_sprole_pws; i++) {
10294 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
10299 + if (copy_from_user(sptmp, arg->sprole_pws + i,
10300 + sizeof (struct sprole_pw))) {
10306 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
10308 + if (!len || len >= GR_SPROLE_LEN) {
10313 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
10318 + if (copy_from_user(tmp, sptmp->rolename, len)) {
10323 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
10324 + printk(KERN_ALERT "Copying special role %s\n", tmp);
10326 + sptmp->rolename = tmp;
10327 + acl_special_roles[i] = sptmp;
10330 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
10332 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
10333 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
10340 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
10341 + sizeof (struct acl_role_label *))) {
10346 + if (copy_from_user(r_tmp, r_utmp2,
10347 + sizeof (struct acl_role_label))) {
10352 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
10354 + if (!len || len >= PATH_MAX) {
10359 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
10363 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
10367 + r_tmp->rolename = tmp;
10369 + if (!strcmp(r_tmp->rolename, "default")
10370 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
10371 + default_role = r_tmp;
10372 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
10373 + kernel_role = r_tmp;
10376 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
10380 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
10385 + r_tmp->hash = ghash;
10387 + num_subjs = count_user_subjs(r_tmp->hash->first);
10389 + r_tmp->subj_hash_size = num_subjs;
10390 + r_tmp->subj_hash =
10391 + (struct acl_subject_label **)
10392 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
10394 + if (!r_tmp->subj_hash) {
10399 + err = copy_user_allowedips(r_tmp);
10403 + /* copy domain info */
10404 + if (r_tmp->domain_children != NULL) {
10405 + domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
10406 + if (domainlist == NULL) {
10410 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
10414 + r_tmp->domain_children = domainlist;
10417 + err = copy_user_transitions(r_tmp);
10421 + memset(r_tmp->subj_hash, 0,
10422 + r_tmp->subj_hash_size *
10423 + sizeof (struct acl_subject_label *));
10425 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
10430 + /* set nested subject list to null */
10431 + r_tmp->hash->first = NULL;
10433 + insert_acl_role_label(r_tmp);
10438 + free_variables();
10445 +gracl_init(struct gr_arg *args)
10449 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
10450 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
10452 + if (init_variables(args)) {
10453 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
10455 + free_variables();
10459 + error = copy_user_acl(args);
10460 + free_init_variables();
10462 + free_variables();
10466 + if ((error = gr_set_acls(0))) {
10467 + free_variables();
10471 + gr_status |= GR_READY;
10476 +/* derived from glibc fnmatch() 0: match, 1: no match*/
10479 +glob_match(const char *p, const char *n)
10483 + while ((c = *p++) != '\0') {
10488 + else if (*n == '/')
10496 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
10499 + else if (c == '?') {
10509 + const char *endp;
10511 + if ((endp = strchr(n, '/')) == NULL)
10512 + endp = n + strlen(n);
10515 + for (--p; n < endp; ++n)
10516 + if (!glob_match(p, n))
10518 + } else if (c == '/') {
10519 + while (*n != '\0' && *n != '/')
10521 + if (*n == '/' && !glob_match(p, n + 1))
10524 + for (--p; n < endp; ++n)
10525 + if (*n == c && !glob_match(p, n))
10536 + if (*n == '\0' || *n == '/')
10539 + not = (*p == '!' || *p == '^');
10545 + unsigned char fn = (unsigned char)*n;
10555 + if (c == '-' && *p != ']') {
10556 + unsigned char cend = *p++;
10558 + if (cend == '\0')
10561 + if (cold <= fn && fn <= cend)
10575 + while (c != ']') {
10602 +static struct acl_object_label *
10603 +chk_glob_label(struct acl_object_label *globbed,
10604 + struct dentry *dentry, struct vfsmount *mnt, char **path)
10606 + struct acl_object_label *tmp;
10608 + if (*path == NULL)
10609 + *path = gr_to_filename_nolock(dentry, mnt);
10614 + if (!glob_match(tmp->filename, *path))
10622 +static struct acl_object_label *
10623 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
10624 + const ino_t curr_ino, const dev_t curr_dev,
10625 + const struct acl_subject_label *subj, char **path)
10627 + struct acl_subject_label *tmpsubj;
10628 + struct acl_object_label *retval;
10629 + struct acl_object_label *retval2;
10631 + tmpsubj = (struct acl_subject_label *) subj;
10632 + read_lock(&gr_inode_lock);
10634 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
10636 + if (retval->globbed) {
10637 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
10638 + (struct vfsmount *)orig_mnt, path);
10640 + retval = retval2;
10644 + } while ((tmpsubj = tmpsubj->parent_subject));
10645 + read_unlock(&gr_inode_lock);
10650 +static __inline__ struct acl_object_label *
10651 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
10652 + const struct dentry *curr_dentry,
10653 + const struct acl_subject_label *subj, char **path)
10655 + return __full_lookup(orig_dentry, orig_mnt,
10656 + curr_dentry->d_inode->i_ino,
10657 + curr_dentry->d_inode->i_sb->s_dev, subj, path);
10660 +static struct acl_object_label *
10661 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
10662 + const struct acl_subject_label *subj, char *path)
10664 + struct dentry *dentry = (struct dentry *) l_dentry;
10665 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
10666 + struct acl_object_label *retval;
10668 + spin_lock(&dcache_lock);
10671 + if (dentry == real_root && mnt == real_root_mnt)
10674 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
10675 + if (mnt->mnt_parent == mnt)
10678 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
10679 + if (retval != NULL)
10682 + dentry = mnt->mnt_mountpoint;
10683 + mnt = mnt->mnt_parent;
10687 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
10688 + if (retval != NULL)
10691 + dentry = dentry->d_parent;
10694 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
10696 + if (retval == NULL)
10697 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
10699 + spin_unlock(&dcache_lock);
10703 +static __inline__ struct acl_object_label *
10704 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
10705 + const struct acl_subject_label *subj)
10707 + char *path = NULL;
10708 + return __chk_obj_label(l_dentry, l_mnt, subj, path);
10711 +static __inline__ struct acl_object_label *
10712 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
10713 + const struct acl_subject_label *subj, char *path)
10715 + return __chk_obj_label(l_dentry, l_mnt, subj, path);
10718 +static struct acl_subject_label *
10719 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
10720 + const struct acl_role_label *role)
10722 + struct dentry *dentry = (struct dentry *) l_dentry;
10723 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
10724 + struct acl_subject_label *retval;
10726 + spin_lock(&dcache_lock);
10729 + if (dentry == real_root && mnt == real_root_mnt)
10731 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
10732 + if (mnt->mnt_parent == mnt)
10735 + read_lock(&gr_inode_lock);
10737 + lookup_acl_subj_label(dentry->d_inode->i_ino,
10738 + dentry->d_inode->i_sb->s_dev, role);
10739 + read_unlock(&gr_inode_lock);
10740 + if (retval != NULL)
10743 + dentry = mnt->mnt_mountpoint;
10744 + mnt = mnt->mnt_parent;
10748 + read_lock(&gr_inode_lock);
10749 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
10750 + dentry->d_inode->i_sb->s_dev, role);
10751 + read_unlock(&gr_inode_lock);
10752 + if (retval != NULL)
10755 + dentry = dentry->d_parent;
10758 + read_lock(&gr_inode_lock);
10759 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
10760 + dentry->d_inode->i_sb->s_dev, role);
10761 + read_unlock(&gr_inode_lock);
10763 + if (unlikely(retval == NULL)) {
10764 + read_lock(&gr_inode_lock);
10765 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
10766 + real_root->d_inode->i_sb->s_dev, role);
10767 + read_unlock(&gr_inode_lock);
10770 + spin_unlock(&dcache_lock);
10776 +gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
10778 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
10779 + task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
10780 + task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
10781 + 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
10787 +gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
10788 + const unsigned int effective, const unsigned int fs)
10790 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
10791 + task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
10792 + task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
10793 + type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
10799 +gr_check_link(const struct dentry * new_dentry,
10800 + const struct dentry * parent_dentry,
10801 + const struct vfsmount * parent_mnt,
10802 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
10804 + struct acl_object_label *obj;
10805 + __u32 oldmode, newmode;
10808 + if (unlikely(!(gr_status & GR_READY)))
10809 + return (GR_CREATE | GR_LINK);
10811 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
10812 + oldmode = obj->mode;
10814 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
10815 + oldmode |= (GR_CREATE | GR_LINK);
10817 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
10818 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
10819 + needmode |= GR_SETID | GR_AUDIT_SETID;
10822 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
10823 + oldmode | needmode);
10825 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
10826 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
10827 + GR_INHERIT | GR_AUDIT_INHERIT);
10829 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
10832 + if ((oldmode & needmode) != needmode)
10835 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
10836 + if ((newmode & needmode) != needmode)
10839 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
10842 + needmode = oldmode;
10843 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
10844 + needmode |= GR_SETID;
10846 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
10847 + gr_log_learn(current, old_dentry, old_mnt, needmode);
10848 + return (GR_CREATE | GR_LINK);
10849 + } else if (newmode & GR_SUPPRESS)
10850 + return GR_SUPPRESS;
10856 +gr_search_file(const struct dentry * dentry, const __u32 mode,
10857 + const struct vfsmount * mnt)
10859 + __u32 retval = mode;
10860 + struct acl_subject_label *curracl;
10861 + struct acl_object_label *currobj;
10863 + if (unlikely(!(gr_status & GR_READY)))
10864 + return (mode & ~GR_AUDITS);
10866 + curracl = current->acl;
10868 + currobj = chk_obj_label(dentry, mnt, curracl);
10869 + retval = currobj->mode & mode;
10872 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
10873 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
10874 + __u32 new_mode = mode;
10876 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
10878 + retval = new_mode;
10880 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
10881 + new_mode |= GR_INHERIT;
10883 + if (!(mode & GR_NOLEARN))
10884 + gr_log_learn(current, dentry, mnt, new_mode);
10891 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
10892 + const struct vfsmount * mnt, const __u32 mode)
10894 + struct name_entry *match;
10895 + struct acl_object_label *matchpo;
10896 + struct acl_subject_label *curracl;
10900 + if (unlikely(!(gr_status & GR_READY)))
10901 + return (mode & ~GR_AUDITS);
10903 + preempt_disable();
10904 + path = gr_to_filename_rbac(new_dentry, mnt);
10905 + match = lookup_name_entry(path);
10908 + goto check_parent;
10910 + curracl = current->acl;
10912 + read_lock(&gr_inode_lock);
10913 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
10914 + read_unlock(&gr_inode_lock);
10917 + if ((matchpo->mode & mode) !=
10918 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
10919 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
10920 + __u32 new_mode = mode;
10922 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
10924 + gr_log_learn(current, new_dentry, mnt, new_mode);
10926 + preempt_enable();
10929 + preempt_enable();
10930 + return (matchpo->mode & mode);
10934 + curracl = current->acl;
10936 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
10937 + retval = matchpo->mode & mode;
10939 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
10940 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
10941 + __u32 new_mode = mode;
10943 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
10945 + gr_log_learn(current, new_dentry, mnt, new_mode);
10946 + preempt_enable();
10950 + preempt_enable();
10955 +gr_check_hidden_task(const struct task_struct *task)
10957 + if (unlikely(!(gr_status & GR_READY)))
10960 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
10967 +gr_check_protected_task(const struct task_struct *task)
10969 + if (unlikely(!(gr_status & GR_READY) || !task))
10972 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
10973 + task->acl != current->acl)
10980 +gr_copy_label(struct task_struct *tsk)
10982 + tsk->signal->used_accept = 0;
10983 + tsk->acl_sp_role = 0;
10984 + tsk->acl_role_id = current->acl_role_id;
10985 + tsk->acl = current->acl;
10986 + tsk->role = current->role;
10987 + tsk->signal->curr_ip = current->signal->curr_ip;
10988 + if (current->exec_file)
10989 + get_file(current->exec_file);
10990 + tsk->exec_file = current->exec_file;
10991 + tsk->is_writable = current->is_writable;
10992 + if (unlikely(current->signal->used_accept))
10993 + current->signal->curr_ip = 0;
10999 +gr_set_proc_res(struct task_struct *task)
11001 + struct acl_subject_label *proc;
11002 + unsigned short i;
11004 + proc = task->acl;
11006 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
11009 + for (i = 0; i < (GR_NLIMITS - 1); i++) {
11010 + if (!(proc->resmask & (1 << i)))
11013 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
11014 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
11021 +gr_check_user_change(int real, int effective, int fs)
11028 + int effectiveok = 0;
11031 + if (unlikely(!(gr_status & GR_READY)))
11034 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
11035 + gr_log_learn_id_change(current, 'u', real, effective, fs);
11037 + num = current->acl->user_trans_num;
11038 + uidlist = current->acl->user_transitions;
11040 + if (uidlist == NULL)
11045 + if (effective == -1)
11050 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
11051 + for (i = 0; i < num; i++) {
11052 + curuid = (int)uidlist[i];
11053 + if (real == curuid)
11055 + if (effective == curuid)
11057 + if (fs == curuid)
11060 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
11061 + for (i = 0; i < num; i++) {
11062 + curuid = (int)uidlist[i];
11063 + if (real == curuid)
11065 + if (effective == curuid)
11067 + if (fs == curuid)
11070 + /* not in deny list */
11078 + if (realok && effectiveok && fsok)
11081 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
11087 +gr_check_group_change(int real, int effective, int fs)
11094 + int effectiveok = 0;
11097 + if (unlikely(!(gr_status & GR_READY)))
11100 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
11101 + gr_log_learn_id_change(current, 'g', real, effective, fs);
11103 + num = current->acl->group_trans_num;
11104 + gidlist = current->acl->group_transitions;
11106 + if (gidlist == NULL)
11111 + if (effective == -1)
11116 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
11117 + for (i = 0; i < num; i++) {
11118 + curgid = (int)gidlist[i];
11119 + if (real == curgid)
11121 + if (effective == curgid)
11123 + if (fs == curgid)
11126 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
11127 + for (i = 0; i < num; i++) {
11128 + curgid = (int)gidlist[i];
11129 + if (real == curgid)
11131 + if (effective == curgid)
11133 + if (fs == curgid)
11136 + /* not in deny list */
11144 + if (realok && effectiveok && fsok)
11147 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
11153 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
11155 + struct acl_role_label *role = task->role;
11156 + struct acl_subject_label *subj = NULL;
11157 + struct acl_object_label *obj;
11158 + struct file *filp;
11160 + if (unlikely(!(gr_status & GR_READY)))
11163 + filp = task->exec_file;
11165 + /* kernel process, we'll give them the kernel role */
11166 + if (unlikely(!filp)) {
11167 + task->role = kernel_role;
11168 + task->acl = kernel_role->root_label;
11170 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
11171 + role = lookup_acl_role_label(task, uid, gid);
11173 + /* perform subject lookup in possibly new role
11174 + we can use this result below in the case where role == task->role
11176 + subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
11178 + /* if we changed uid/gid, but result in the same role
11179 + and are using inheritance, don't lose the inherited subject
11180 + if current subject is other than what normal lookup
11181 + would result in, we arrived via inheritance, don't
11184 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
11185 + (subj == task->acl)))
11186 + task->acl = subj;
11188 + task->role = role;
11190 + task->is_writable = 0;
11192 + /* ignore additional mmap checks for processes that are writable
11193 + by the default ACL */
11194 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
11195 + if (unlikely(obj->mode & GR_WRITE))
11196 + task->is_writable = 1;
11197 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
11198 + if (unlikely(obj->mode & GR_WRITE))
11199 + task->is_writable = 1;
11201 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
11202 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
11205 + gr_set_proc_res(task);
11211 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
11213 + struct task_struct *task = current;
11214 + struct acl_subject_label *newacl;
11215 + struct acl_object_label *obj;
11218 + if (unlikely(!(gr_status & GR_READY)))
11221 + newacl = chk_subj_label(dentry, mnt, task->role);
11224 + if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
11225 + GR_POVERRIDE) && (task->acl != newacl) &&
11226 + !(task->role->roletype & GR_ROLE_GOD) &&
11227 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
11228 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
11229 + (atomic_read(&task->fs->count) > 1 ||
11230 + atomic_read(&task->files->count) > 1 ||
11231 + atomic_read(&task->sighand->count) > 1)) {
11232 + task_unlock(task);
11233 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
11236 + task_unlock(task);
11238 + obj = chk_obj_label(dentry, mnt, task->acl);
11239 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
11241 + if (!(task->acl->mode & GR_INHERITLEARN) &&
11242 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
11244 + task->acl = obj->nested;
11246 + task->acl = newacl;
11247 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
11248 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
11250 + task->is_writable = 0;
11252 + /* ignore additional mmap checks for processes that are writable
11253 + by the default ACL */
11254 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
11255 + if (unlikely(obj->mode & GR_WRITE))
11256 + task->is_writable = 1;
11257 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
11258 + if (unlikely(obj->mode & GR_WRITE))
11259 + task->is_writable = 1;
11261 + gr_set_proc_res(task);
11263 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
11264 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
11270 +do_handle_delete(const ino_t ino, const dev_t dev)
11272 + struct acl_object_label *matchpo;
11273 + struct acl_subject_label *matchps;
11274 + struct acl_subject_label *subj;
11275 + struct acl_role_label *role;
11276 + unsigned int i, x;
11278 + FOR_EACH_ROLE_START(role, i)
11279 + FOR_EACH_SUBJECT_START(role, subj, x)
11280 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
11281 + matchpo->mode |= GR_DELETED;
11282 + FOR_EACH_SUBJECT_END(subj,x)
11283 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
11284 + if (subj->inode == ino && subj->device == dev)
11285 + subj->mode |= GR_DELETED;
11286 + FOR_EACH_NESTED_SUBJECT_END(subj)
11287 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
11288 + matchps->mode |= GR_DELETED;
11289 + FOR_EACH_ROLE_END(role,i)
11295 +gr_handle_delete(const ino_t ino, const dev_t dev)
11297 + if (unlikely(!(gr_status & GR_READY)))
11300 + write_lock(&gr_inode_lock);
11301 + if (unlikely((unsigned long)lookup_inodev_entry(ino, dev)))
11302 + do_handle_delete(ino, dev);
11303 + write_unlock(&gr_inode_lock);
11309 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
11310 + const ino_t newinode, const dev_t newdevice,
11311 + struct acl_subject_label *subj)
11313 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
11314 + struct acl_object_label *match;
11316 + match = subj->obj_hash[index];
11318 + while (match && (match->inode != oldinode ||
11319 + match->device != olddevice ||
11320 + !(match->mode & GR_DELETED)))
11321 + match = match->next;
11323 + if (match && (match->inode == oldinode)
11324 + && (match->device == olddevice)
11325 + && (match->mode & GR_DELETED)) {
11326 + if (match->prev == NULL) {
11327 + subj->obj_hash[index] = match->next;
11328 + if (match->next != NULL)
11329 + match->next->prev = NULL;
11331 + match->prev->next = match->next;
11332 + if (match->next != NULL)
11333 + match->next->prev = match->prev;
11335 + match->prev = NULL;
11336 + match->next = NULL;
11337 + match->inode = newinode;
11338 + match->device = newdevice;
11339 + match->mode &= ~GR_DELETED;
11341 + insert_acl_obj_label(match, subj);
11348 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
11349 + const ino_t newinode, const dev_t newdevice,
11350 + struct acl_role_label *role)
11352 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
11353 + struct acl_subject_label *match;
11355 + match = role->subj_hash[index];
11357 + while (match && (match->inode != oldinode ||
11358 + match->device != olddevice ||
11359 + !(match->mode & GR_DELETED)))
11360 + match = match->next;
11362 + if (match && (match->inode == oldinode)
11363 + && (match->device == olddevice)
11364 + && (match->mode & GR_DELETED)) {
11365 + if (match->prev == NULL) {
11366 + role->subj_hash[index] = match->next;
11367 + if (match->next != NULL)
11368 + match->next->prev = NULL;
11370 + match->prev->next = match->next;
11371 + if (match->next != NULL)
11372 + match->next->prev = match->prev;
11374 + match->prev = NULL;
11375 + match->next = NULL;
11376 + match->inode = newinode;
11377 + match->device = newdevice;
11378 + match->mode &= ~GR_DELETED;
11380 + insert_acl_subj_label(match, role);
11387 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
11388 + const ino_t newinode, const dev_t newdevice)
11390 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
11391 + struct inodev_entry *match;
11393 + match = inodev_set.i_hash[index];
11395 + while (match && (match->nentry->inode != oldinode ||
11396 + match->nentry->device != olddevice))
11397 + match = match->next;
11399 + if (match && (match->nentry->inode == oldinode)
11400 + && (match->nentry->device == olddevice)) {
11401 + if (match->prev == NULL) {
11402 + inodev_set.i_hash[index] = match->next;
11403 + if (match->next != NULL)
11404 + match->next->prev = NULL;
11406 + match->prev->next = match->next;
11407 + if (match->next != NULL)
11408 + match->next->prev = match->prev;
11410 + match->prev = NULL;
11411 + match->next = NULL;
11412 + match->nentry->inode = newinode;
11413 + match->nentry->device = newdevice;
11415 + insert_inodev_entry(match);
11422 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
11423 + const struct vfsmount *mnt)
11425 + struct acl_subject_label *subj;
11426 + struct acl_role_label *role;
11427 + unsigned int i, x;
11429 + FOR_EACH_ROLE_START(role, i)
11430 + update_acl_subj_label(matchn->inode, matchn->device,
11431 + dentry->d_inode->i_ino,
11432 + dentry->d_inode->i_sb->s_dev, role);
11434 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
11435 + if ((subj->inode == dentry->d_inode->i_ino) &&
11436 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
11437 + subj->inode = dentry->d_inode->i_ino;
11438 + subj->device = dentry->d_inode->i_sb->s_dev;
11440 + FOR_EACH_NESTED_SUBJECT_END(subj)
11441 + FOR_EACH_SUBJECT_START(role, subj, x)
11442 + update_acl_obj_label(matchn->inode, matchn->device,
11443 + dentry->d_inode->i_ino,
11444 + dentry->d_inode->i_sb->s_dev, subj);
11445 + FOR_EACH_SUBJECT_END(subj,x)
11446 + FOR_EACH_ROLE_END(role,i)
11448 + update_inodev_entry(matchn->inode, matchn->device,
11449 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
11455 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
11457 + struct name_entry *matchn;
11459 + if (unlikely(!(gr_status & GR_READY)))
11462 + preempt_disable();
11463 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
11465 + if (unlikely((unsigned long)matchn)) {
11466 + write_lock(&gr_inode_lock);
11467 + do_handle_create(matchn, dentry, mnt);
11468 + write_unlock(&gr_inode_lock);
11470 + preempt_enable();
11476 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
11477 + struct dentry *old_dentry,
11478 + struct dentry *new_dentry,
11479 + struct vfsmount *mnt, const __u8 replace)
11481 + struct name_entry *matchn;
11483 + if (unlikely(!(gr_status & GR_READY)))
11486 + preempt_disable();
11487 + matchn = lookup_name_entry(gr_to_filename_rbac(new_dentry, mnt));
11489 + /* we wouldn't have to check d_inode if it weren't for
11490 + NFS silly-renaming
11493 + write_lock(&gr_inode_lock);
11494 + if (unlikely(replace && new_dentry->d_inode)) {
11495 + if (unlikely(lookup_inodev_entry(new_dentry->d_inode->i_ino,
11496 + new_dentry->d_inode->i_sb->s_dev) &&
11497 + (old_dentry->d_inode->i_nlink <= 1)))
11498 + do_handle_delete(new_dentry->d_inode->i_ino,
11499 + new_dentry->d_inode->i_sb->s_dev);
11502 + if (unlikely(lookup_inodev_entry(old_dentry->d_inode->i_ino,
11503 + old_dentry->d_inode->i_sb->s_dev) &&
11504 + (old_dentry->d_inode->i_nlink <= 1)))
11505 + do_handle_delete(old_dentry->d_inode->i_ino,
11506 + old_dentry->d_inode->i_sb->s_dev);
11508 + if (unlikely((unsigned long)matchn))
11509 + do_handle_create(matchn, old_dentry, mnt);
11511 + write_unlock(&gr_inode_lock);
11512 + preempt_enable();
11518 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
11519 + unsigned char **sum)
11521 + struct acl_role_label *r;
11522 + struct role_allowed_ip *ipp;
11523 + struct role_transition *trans;
11527 + /* check transition table */
11529 + for (trans = current->role->transitions; trans; trans = trans->next) {
11530 + if (!strcmp(rolename, trans->rolename)) {
11539 + /* handle special roles that do not require authentication
11542 + FOR_EACH_ROLE_START(r, i)
11543 + if (!strcmp(rolename, r->rolename) &&
11544 + (r->roletype & GR_ROLE_SPECIAL)) {
11546 + if (r->allowed_ips != NULL) {
11547 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
11548 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
11549 + (ntohl(ipp->addr) & ipp->netmask))
11557 + if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
11558 + ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
11564 + FOR_EACH_ROLE_END(r,i)
11566 + for (i = 0; i < num_sprole_pws; i++) {
11567 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
11568 + *salt = acl_special_roles[i]->salt;
11569 + *sum = acl_special_roles[i]->sum;
11578 +assign_special_role(char *rolename)
11580 + struct acl_object_label *obj;
11581 + struct acl_role_label *r;
11582 + struct acl_role_label *assigned = NULL;
11583 + struct task_struct *tsk;
11584 + struct file *filp;
11587 + FOR_EACH_ROLE_START(r, i)
11588 + if (!strcmp(rolename, r->rolename) &&
11589 + (r->roletype & GR_ROLE_SPECIAL))
11591 + FOR_EACH_ROLE_END(r,i)
11596 + read_lock(&tasklist_lock);
11597 + read_lock(&grsec_exec_file_lock);
11599 + tsk = current->parent;
11603 + filp = tsk->exec_file;
11604 + if (filp == NULL)
11607 + tsk->is_writable = 0;
11609 + tsk->acl_sp_role = 1;
11610 + tsk->acl_role_id = ++acl_sp_role_value;
11611 + tsk->role = assigned;
11612 + tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
11614 + /* ignore additional mmap checks for processes that are writable
11615 + by the default ACL */
11616 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
11617 + if (unlikely(obj->mode & GR_WRITE))
11618 + tsk->is_writable = 1;
11619 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
11620 + if (unlikely(obj->mode & GR_WRITE))
11621 + tsk->is_writable = 1;
11623 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
11624 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
11628 + read_unlock(&grsec_exec_file_lock);
11629 + read_unlock(&tasklist_lock);
11633 +int gr_check_secure_terminal(struct task_struct *task)
11635 + struct task_struct *p, *p2, *p3;
11636 + struct files_struct *files;
11637 + struct fdtable *fdt;
11638 + struct file *our_file = NULL, *file;
11641 + if (task->signal->tty == NULL)
11644 + files = get_files_struct(task);
11645 + if (files != NULL) {
11647 + fdt = files_fdtable(files);
11648 + for (i=0; i < fdt->max_fds; i++) {
11649 + file = fcheck_files(files, i);
11650 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
11655 + rcu_read_unlock();
11656 + put_files_struct(files);
11659 + if (our_file == NULL)
11662 + read_lock(&tasklist_lock);
11663 + do_each_thread(p2, p) {
11664 + files = get_files_struct(p);
11665 + if (files == NULL ||
11666 + (p->signal && p->signal->tty == task->signal->tty)) {
11667 + if (files != NULL)
11668 + put_files_struct(files);
11672 + fdt = files_fdtable(files);
11673 + for (i=0; i < fdt->max_fds; i++) {
11674 + file = fcheck_files(files, i);
11675 + if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
11676 + file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
11678 + while (p3->pid > 0) {
11685 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
11686 + gr_handle_alertkill(p);
11687 + rcu_read_unlock();
11688 + put_files_struct(files);
11689 + read_unlock(&tasklist_lock);
11694 + rcu_read_unlock();
11695 + put_files_struct(files);
11696 + } while_each_thread(p2, p);
11697 + read_unlock(&tasklist_lock);
11704 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
11706 + struct gr_arg_wrapper uwrap;
11707 + unsigned char *sprole_salt;
11708 + unsigned char *sprole_sum;
11709 + int error = sizeof (struct gr_arg_wrapper);
11712 + down(&gr_dev_sem);
11714 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
11719 + if (count != sizeof (struct gr_arg_wrapper)) {
11720 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
11726 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
11727 + gr_auth_expires = 0;
11728 + gr_auth_attempts = 0;
11731 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
11736 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
11741 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
11746 + if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
11747 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
11748 + time_after(gr_auth_expires, get_seconds())) {
11753 + /* if non-root trying to do anything other than use a special role,
11754 + do not attempt authentication, do not count towards authentication
11758 + if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
11759 + gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
11765 + /* ensure pw and special role name are null terminated */
11767 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
11768 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
11771 + * We have our enough of the argument structure..(we have yet
11772 + * to copy_from_user the tables themselves) . Copy the tables
11773 + * only if we need them, i.e. for loading operations. */
11775 + switch (gr_usermode->mode) {
11777 + if (gr_status & GR_READY) {
11779 + if (!gr_check_secure_terminal(current))
11785 + if ((gr_status & GR_READY)
11786 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
11787 + gr_status &= ~GR_READY;
11788 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
11789 + free_variables();
11790 + memset(gr_usermode, 0, sizeof (struct gr_arg));
11791 + memset(gr_system_salt, 0, GR_SALT_LEN);
11792 + memset(gr_system_sum, 0, GR_SHA_LEN);
11793 + } else if (gr_status & GR_READY) {
11794 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
11797 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
11802 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
11803 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
11805 + if (gr_status & GR_READY)
11809 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
11813 + if (!(gr_status & GR_READY)) {
11814 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
11816 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
11818 + gr_status &= ~GR_READY;
11819 + free_variables();
11820 + if (!(error2 = gracl_init(gr_usermode))) {
11822 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
11826 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
11829 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
11834 + if (unlikely(!(gr_status & GR_READY))) {
11835 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
11840 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
11841 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
11842 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
11843 + struct acl_subject_label *segvacl;
11845 + lookup_acl_subj_label(gr_usermode->segv_inode,
11846 + gr_usermode->segv_device,
11849 + segvacl->crashes = 0;
11850 + segvacl->expires = 0;
11852 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
11853 + gr_remove_uid(gr_usermode->segv_uid);
11856 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
11862 + if (unlikely(!(gr_status & GR_READY))) {
11863 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
11868 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
11869 + current->role->expires = 0;
11870 + current->role->auth_attempts = 0;
11873 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
11874 + time_after(current->role->expires, get_seconds())) {
11879 + if (lookup_special_role_auth
11880 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
11881 + && ((!sprole_salt && !sprole_sum)
11882 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
11884 + assign_special_role(gr_usermode->sp_role);
11885 + read_lock(&tasklist_lock);
11886 + if (current->parent)
11887 + p = current->parent->role->rolename;
11888 + read_unlock(&tasklist_lock);
11889 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
11890 + p, acl_sp_role_value);
11892 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
11894 + if(!(current->role->auth_attempts++))
11895 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
11901 + if (unlikely(!(gr_status & GR_READY))) {
11902 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
11907 + if (current->role->roletype & GR_ROLE_SPECIAL) {
11911 + read_lock(&tasklist_lock);
11912 + if (current->parent) {
11913 + p = current->parent->role->rolename;
11914 + i = current->parent->acl_role_id;
11916 + read_unlock(&tasklist_lock);
11918 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
11921 + gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
11927 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
11932 + if (error != -EPERM)
11935 + if(!(gr_auth_attempts++))
11936 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
11944 +gr_set_acls(const int type)
11946 + struct acl_object_label *obj;
11947 + struct task_struct *task, *task2;
11948 + struct file *filp;
11949 + struct acl_role_label *role = current->role;
11950 + __u16 acl_role_id = current->acl_role_id;
11952 + read_lock(&tasklist_lock);
11953 + read_lock(&grsec_exec_file_lock);
11954 + do_each_thread(task2, task) {
11955 + /* check to see if we're called from the exit handler,
11956 + if so, only replace ACLs that have inherited the admin
11959 + if (type && (task->role != role ||
11960 + task->acl_role_id != acl_role_id))
11963 + task->acl_role_id = 0;
11964 + task->acl_sp_role = 0;
11966 + if ((filp = task->exec_file)) {
11967 + task->role = lookup_acl_role_label(task, task->uid, task->gid);
11970 + chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
11973 + struct acl_subject_label *curr;
11974 + curr = task->acl;
11976 + task->is_writable = 0;
11977 + /* ignore additional mmap checks for processes that are writable
11978 + by the default ACL */
11979 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
11980 + if (unlikely(obj->mode & GR_WRITE))
11981 + task->is_writable = 1;
11982 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
11983 + if (unlikely(obj->mode & GR_WRITE))
11984 + task->is_writable = 1;
11986 + gr_set_proc_res(task);
11988 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
11989 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
11992 + read_unlock(&grsec_exec_file_lock);
11993 + read_unlock(&tasklist_lock);
11994 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
11998 + // it's a kernel process
11999 + task->role = kernel_role;
12000 + task->acl = kernel_role->root_label;
12001 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
12002 + task->acl->mode &= ~GR_PROCFIND;
12005 + } while_each_thread(task2, task);
12006 + read_unlock(&grsec_exec_file_lock);
12007 + read_unlock(&tasklist_lock);
12012 +gr_learn_resource(const struct task_struct *task,
12013 + const int res, const unsigned long wanted, const int gt)
12015 + struct acl_subject_label *acl;
12017 + if (unlikely((gr_status & GR_READY) &&
12018 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
12019 + goto skip_reslog;
12021 +#ifdef CONFIG_GRKERNSEC_RESLOG
12022 + gr_log_resource(task, res, wanted, gt);
12026 + if (unlikely(!(gr_status & GR_READY) || !wanted))
12031 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
12032 + !(acl->resmask & (1 << (unsigned short) res))))
12035 + if (wanted >= acl->res[res].rlim_cur) {
12036 + unsigned long res_add;
12038 + res_add = wanted;
12041 + res_add += GR_RLIM_CPU_BUMP;
12043 + case RLIMIT_FSIZE:
12044 + res_add += GR_RLIM_FSIZE_BUMP;
12046 + case RLIMIT_DATA:
12047 + res_add += GR_RLIM_DATA_BUMP;
12049 + case RLIMIT_STACK:
12050 + res_add += GR_RLIM_STACK_BUMP;
12052 + case RLIMIT_CORE:
12053 + res_add += GR_RLIM_CORE_BUMP;
12056 + res_add += GR_RLIM_RSS_BUMP;
12058 + case RLIMIT_NPROC:
12059 + res_add += GR_RLIM_NPROC_BUMP;
12061 + case RLIMIT_NOFILE:
12062 + res_add += GR_RLIM_NOFILE_BUMP;
12064 + case RLIMIT_MEMLOCK:
12065 + res_add += GR_RLIM_MEMLOCK_BUMP;
12068 + res_add += GR_RLIM_AS_BUMP;
12070 + case RLIMIT_LOCKS:
12071 + res_add += GR_RLIM_LOCKS_BUMP;
12075 + acl->res[res].rlim_cur = res_add;
12077 + if (wanted > acl->res[res].rlim_max)
12078 + acl->res[res].rlim_max = res_add;
12080 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
12081 + task->role->roletype, acl->filename,
12082 + acl->res[res].rlim_cur, acl->res[res].rlim_max,
12083 + "", (unsigned long) res);
12089 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
12091 +pax_set_initial_flags(struct linux_binprm *bprm)
12093 + struct task_struct *task = current;
12094 + struct acl_subject_label *proc;
12095 + unsigned long flags;
12097 + if (unlikely(!(gr_status & GR_READY)))
12100 + flags = pax_get_flags(task);
12102 + proc = task->acl;
12104 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
12105 + flags &= ~MF_PAX_PAGEEXEC;
12106 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
12107 + flags &= ~MF_PAX_SEGMEXEC;
12108 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
12109 + flags &= ~MF_PAX_RANDMMAP;
12110 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
12111 + flags &= ~MF_PAX_EMUTRAMP;
12112 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
12113 + flags &= ~MF_PAX_MPROTECT;
12115 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
12116 + flags |= MF_PAX_PAGEEXEC;
12117 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
12118 + flags |= MF_PAX_SEGMEXEC;
12119 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
12120 + flags |= MF_PAX_RANDMMAP;
12121 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
12122 + flags |= MF_PAX_EMUTRAMP;
12123 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
12124 + flags |= MF_PAX_MPROTECT;
12126 + pax_set_flags(task, flags);
12132 +#ifdef CONFIG_SYSCTL
12133 +extern struct proc_dir_entry *proc_sys_root;
12135 +/* the following function is called under the BKL */
12138 +gr_handle_sysctl(const struct ctl_table *table, const void *oldval,
12139 + const void *newval)
12141 + struct proc_dir_entry *tmp;
12142 + struct nameidata nd;
12143 + const char *proc_sys = "/proc/sys";
12145 + struct acl_object_label *obj;
12146 + unsigned short len = 0, pos = 0, depth = 0, i;
12150 + if (unlikely(!(gr_status & GR_READY)))
12153 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
12158 + mode |= GR_WRITE;
12160 + /* convert the requested sysctl entry into a pathname */
12162 + for (tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) {
12163 + len += strlen(tmp->name);
12168 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE)
12169 + return 0; /* deny */
12171 + memset(path, 0, PAGE_SIZE);
12173 + memcpy(path, proc_sys, strlen(proc_sys));
12175 + pos += strlen(proc_sys);
12177 + for (; depth > 0; depth--) {
12180 + for (i = 1, tmp = table->de; tmp != proc_sys_root;
12181 + tmp = tmp->parent) {
12182 + if (depth == i) {
12183 + memcpy(path + pos, tmp->name,
12184 + strlen(tmp->name));
12185 + pos += strlen(tmp->name);
12191 + err = path_lookup(path, LOOKUP_FOLLOW, &nd);
12196 + obj = chk_obj_label(nd.dentry, nd.mnt, current->acl);
12197 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
12199 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
12200 + ((err & mode) != mode))) {
12201 + __u32 new_mode = mode;
12203 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
12206 + gr_log_learn(current, nd.dentry, nd.mnt, new_mode);
12207 + } else if ((err & mode) != mode && !(err & GR_SUPPRESS)) {
12208 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
12209 + path, (mode & GR_READ) ? " reading" : "",
12210 + (mode & GR_WRITE) ? " writing" : "");
12212 + } else if ((err & mode) != mode) {
12214 + } else if (((err & mode) == mode) && (err & GR_AUDITS)) {
12215 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
12216 + path, (mode & GR_READ) ? " reading" : "",
12217 + (mode & GR_WRITE) ? " writing" : "");
12220 + path_release(&nd);
12228 +gr_handle_proc_ptrace(struct task_struct *task)
12230 + struct file *filp;
12231 + struct task_struct *tmp = task;
12232 + struct task_struct *curtemp = current;
12235 + if (unlikely(!(gr_status & GR_READY)))
12238 + read_lock(&tasklist_lock);
12239 + read_lock(&grsec_exec_file_lock);
12240 + filp = task->exec_file;
12242 + while (tmp->pid > 0) {
12243 + if (tmp == curtemp)
12245 + tmp = tmp->parent;
12248 + if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
12249 + read_unlock(&grsec_exec_file_lock);
12250 + read_unlock(&tasklist_lock);
12254 + retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
12255 + read_unlock(&grsec_exec_file_lock);
12256 + read_unlock(&tasklist_lock);
12258 + if (retmode & GR_NOPTRACE)
12261 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
12262 + && (current->acl != task->acl || (current->acl != current->role->root_label
12263 + && current->pid != task->pid)))
12270 +gr_handle_ptrace(struct task_struct *task, const long request)
12272 + struct task_struct *tmp = task;
12273 + struct task_struct *curtemp = current;
12276 + if (unlikely(!(gr_status & GR_READY)))
12279 + read_lock(&tasklist_lock);
12280 + while (tmp->pid > 0) {
12281 + if (tmp == curtemp)
12283 + tmp = tmp->parent;
12286 + if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
12287 + read_unlock(&tasklist_lock);
12288 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
12291 + read_unlock(&tasklist_lock);
12293 + read_lock(&grsec_exec_file_lock);
12294 + if (unlikely(!task->exec_file)) {
12295 + read_unlock(&grsec_exec_file_lock);
12299 + retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
12300 + read_unlock(&grsec_exec_file_lock);
12302 + if (retmode & GR_NOPTRACE) {
12303 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
12307 + if (retmode & GR_PTRACERD) {
12308 + switch (request) {
12309 + case PTRACE_POKETEXT:
12310 + case PTRACE_POKEDATA:
12311 + case PTRACE_POKEUSR:
12312 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
12313 + case PTRACE_SETREGS:
12314 + case PTRACE_SETFPREGS:
12317 + case PTRACE_SETFPXREGS:
12319 +#ifdef CONFIG_ALTIVEC
12320 + case PTRACE_SETVRREGS:
12326 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
12327 + !(current->role->roletype & GR_ROLE_GOD) &&
12328 + (current->acl != task->acl)) {
12329 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
12336 +static int is_writable_mmap(const struct file *filp)
12338 + struct task_struct *task = current;
12339 + struct acl_object_label *obj, *obj2;
12341 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
12342 + !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
12343 + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
12344 + obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
12345 + task->role->root_label);
12346 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
12347 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
12355 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
12359 + if (unlikely(!file || !(prot & PROT_EXEC)))
12362 + if (is_writable_mmap(file))
12366 + gr_search_file(file->f_dentry,
12367 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
12370 + if (!gr_tpe_allow(file))
12373 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
12374 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
12376 + } else if (unlikely(!(mode & GR_EXEC))) {
12378 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
12379 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
12387 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
12391 + if (unlikely(!file || !(prot & PROT_EXEC)))
12394 + if (is_writable_mmap(file))
12398 + gr_search_file(file->f_dentry,
12399 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
12402 + if (!gr_tpe_allow(file))
12405 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
12406 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
12408 + } else if (unlikely(!(mode & GR_EXEC))) {
12410 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
12411 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
12419 +gr_acl_handle_psacct(struct task_struct *task, const long code)
12421 + unsigned long runtime;
12422 + unsigned long cputime;
12423 + unsigned int wday, cday;
12428 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
12429 + !(task->acl->mode & GR_PROCACCT)))
12432 + runtime = xtime.tv_sec - task->start_time.tv_sec;
12433 + wday = runtime / (3600 * 24);
12434 + runtime -= wday * (3600 * 24);
12435 + whr = runtime / 3600;
12436 + runtime -= whr * 3600;
12437 + wmin = runtime / 60;
12438 + runtime -= wmin * 60;
12441 + cputime = (task->utime + task->stime) / HZ;
12442 + cday = cputime / (3600 * 24);
12443 + cputime -= cday * (3600 * 24);
12444 + chr = cputime / 3600;
12445 + cputime -= chr * 3600;
12446 + cmin = cputime / 60;
12447 + cputime -= cmin * 60;
12450 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
12455 +void gr_set_kernel_label(struct task_struct *task)
12457 + if (gr_status & GR_READY) {
12458 + task->role = kernel_role;
12459 + task->acl = kernel_role->root_label;
12464 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
12466 + struct task_struct *task = current;
12467 + struct dentry *dentry = file->f_dentry;
12468 + struct vfsmount *mnt = file->f_vfsmnt;
12469 + struct acl_object_label *obj, *tmp;
12470 + struct acl_subject_label *subj;
12471 + unsigned int bufsize;
12475 + if (unlikely(!(gr_status & GR_READY)))
12478 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
12481 + subj = task->acl;
12483 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
12485 + return (obj->mode & GR_FIND) ? 1 : 0;
12486 + } while ((subj = subj->parent_subject));
12488 + obj = chk_obj_label(dentry, mnt, task->acl);
12489 + if (obj->globbed == NULL)
12490 + return (obj->mode & GR_FIND) ? 1 : 0;
12492 + is_not_root = ((obj->filename[0] == '/') &&
12493 + (obj->filename[1] == '\0')) ? 0 : 1;
12494 + bufsize = PAGE_SIZE - namelen - is_not_root;
12496 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
12497 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
12500 + preempt_disable();
12501 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
12504 + bufsize = strlen(path);
12506 + /* if base is "/", don't append an additional slash */
12508 + *(path + bufsize) = '/';
12509 + memcpy(path + bufsize + is_not_root, name, namelen);
12510 + *(path + bufsize + namelen + is_not_root) = '\0';
12512 + tmp = obj->globbed;
12514 + if (!glob_match(tmp->filename, path)) {
12515 + preempt_enable();
12516 + return (tmp->mode & GR_FIND) ? 1 : 0;
12520 + preempt_enable();
12521 + return (obj->mode & GR_FIND) ? 1 : 0;
12524 +EXPORT_SYMBOL(gr_learn_resource);
12525 +EXPORT_SYMBOL(gr_set_kernel_label);
12526 +#ifdef CONFIG_SECURITY
12527 +EXPORT_SYMBOL(gr_check_user_change);
12528 +EXPORT_SYMBOL(gr_check_group_change);
12531 diff -urNp linux-2.6.16.12/grsecurity/gracl_cap.c linux-2.6.16.12/grsecurity/gracl_cap.c
12532 --- linux-2.6.16.12/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
12533 +++ linux-2.6.16.12/grsecurity/gracl_cap.c 2006-05-01 20:17:33.000000000 -0400
12535 +#include <linux/kernel.h>
12536 +#include <linux/module.h>
12537 +#include <linux/sched.h>
12538 +#include <linux/capability.h>
12539 +#include <linux/gracl.h>
12540 +#include <linux/grsecurity.h>
12541 +#include <linux/grinternal.h>
12543 +static const char *captab_log[] = {
12545 + "CAP_DAC_OVERRIDE",
12546 + "CAP_DAC_READ_SEARCH",
12553 + "CAP_LINUX_IMMUTABLE",
12554 + "CAP_NET_BIND_SERVICE",
12555 + "CAP_NET_BROADCAST",
12560 + "CAP_SYS_MODULE",
12562 + "CAP_SYS_CHROOT",
12563 + "CAP_SYS_PTRACE",
12568 + "CAP_SYS_RESOURCE",
12570 + "CAP_SYS_TTY_CONFIG",
12575 +EXPORT_SYMBOL(gr_task_is_capable);
12578 +gr_task_is_capable(struct task_struct *task, const int cap)
12580 + struct acl_subject_label *curracl;
12581 + __u32 cap_drop = 0, cap_mask = 0;
12583 + if (!gr_acl_is_enabled())
12586 + curracl = task->acl;
12588 + cap_drop = curracl->cap_lower;
12589 + cap_mask = curracl->cap_mask;
12591 + while ((curracl = curracl->parent_subject)) {
12592 + if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
12593 + cap_drop |= curracl->cap_lower & (1 << cap);
12594 + cap_mask |= curracl->cap_mask;
12597 + if (!cap_raised(cap_drop, cap))
12600 + curracl = task->acl;
12602 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
12603 + && cap_raised(task->cap_effective, cap)) {
12604 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
12605 + task->role->roletype, task->uid,
12606 + task->gid, task->exec_file ?
12607 + gr_to_filename(task->exec_file->f_dentry,
12608 + task->exec_file->f_vfsmnt) : curracl->filename,
12609 + curracl->filename, 0UL,
12610 + 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
12614 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
12615 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
12621 +gr_is_capable_nolog(const int cap)
12623 + struct acl_subject_label *curracl;
12624 + __u32 cap_drop = 0, cap_mask = 0;
12626 + if (!gr_acl_is_enabled())
12629 + curracl = current->acl;
12631 + cap_drop = curracl->cap_lower;
12632 + cap_mask = curracl->cap_mask;
12634 + while ((curracl = curracl->parent_subject)) {
12635 + cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
12636 + cap_mask |= curracl->cap_mask;
12639 + if (!cap_raised(cap_drop, cap))
12645 diff -urNp linux-2.6.16.12/grsecurity/gracl_fs.c linux-2.6.16.12/grsecurity/gracl_fs.c
12646 --- linux-2.6.16.12/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
12647 +++ linux-2.6.16.12/grsecurity/gracl_fs.c 2006-05-01 20:17:33.000000000 -0400
12649 +#include <linux/kernel.h>
12650 +#include <linux/sched.h>
12651 +#include <linux/types.h>
12652 +#include <linux/fs.h>
12653 +#include <linux/file.h>
12654 +#include <linux/stat.h>
12655 +#include <linux/grsecurity.h>
12656 +#include <linux/grinternal.h>
12657 +#include <linux/gracl.h>
12660 +gr_acl_handle_hidden_file(const struct dentry * dentry,
12661 + const struct vfsmount * mnt)
12665 + if (unlikely(!dentry->d_inode))
12669 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
12671 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
12672 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
12674 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
12675 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
12677 + } else if (unlikely(!(mode & GR_FIND)))
12684 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
12687 + __u32 reqmode = GR_FIND;
12690 + if (unlikely(!dentry->d_inode))
12693 + if (unlikely(fmode & O_APPEND))
12694 + reqmode |= GR_APPEND;
12695 + else if (unlikely(fmode & FMODE_WRITE))
12696 + reqmode |= GR_WRITE;
12697 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
12698 + reqmode |= GR_READ;
12701 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
12704 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
12705 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
12706 + reqmode & GR_READ ? " reading" : "",
12707 + reqmode & GR_WRITE ? " writing" : reqmode &
12708 + GR_APPEND ? " appending" : "");
12711 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
12713 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
12714 + reqmode & GR_READ ? " reading" : "",
12715 + reqmode & GR_WRITE ? " writing" : reqmode &
12716 + GR_APPEND ? " appending" : "");
12718 + } else if (unlikely((mode & reqmode) != reqmode))
12725 +gr_acl_handle_creat(const struct dentry * dentry,
12726 + const struct dentry * p_dentry,
12727 + const struct vfsmount * p_mnt, const int fmode,
12730 + __u32 reqmode = GR_WRITE | GR_CREATE;
12733 + if (unlikely(fmode & O_APPEND))
12734 + reqmode |= GR_APPEND;
12735 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
12736 + reqmode |= GR_READ;
12737 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
12738 + reqmode |= GR_SETID;
12741 + gr_check_create(dentry, p_dentry, p_mnt,
12742 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
12744 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
12745 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
12746 + reqmode & GR_READ ? " reading" : "",
12747 + reqmode & GR_WRITE ? " writing" : reqmode &
12748 + GR_APPEND ? " appending" : "");
12751 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
12753 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
12754 + reqmode & GR_READ ? " reading" : "",
12755 + reqmode & GR_WRITE ? " writing" : reqmode &
12756 + GR_APPEND ? " appending" : "");
12758 + } else if (unlikely((mode & reqmode) != reqmode))
12765 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
12768 + __u32 mode, reqmode = GR_FIND;
12770 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
12771 + reqmode |= GR_EXEC;
12772 + if (fmode & S_IWOTH)
12773 + reqmode |= GR_WRITE;
12774 + if (fmode & S_IROTH)
12775 + reqmode |= GR_READ;
12778 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
12781 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
12782 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
12783 + reqmode & GR_READ ? " reading" : "",
12784 + reqmode & GR_WRITE ? " writing" : "",
12785 + reqmode & GR_EXEC ? " executing" : "");
12788 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
12790 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
12791 + reqmode & GR_READ ? " reading" : "",
12792 + reqmode & GR_WRITE ? " writing" : "",
12793 + reqmode & GR_EXEC ? " executing" : "");
12795 + } else if (unlikely((mode & reqmode) != reqmode))
12801 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
12805 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
12807 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
12808 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
12810 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
12811 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
12813 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
12816 + return (reqmode);
12820 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
12822 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
12826 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
12828 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
12832 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
12834 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
12838 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
12840 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
12844 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
12847 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
12850 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
12851 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
12852 + GR_FCHMOD_ACL_MSG);
12854 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
12859 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
12862 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
12863 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
12864 + GR_CHMOD_ACL_MSG);
12866 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
12871 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
12873 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
12877 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
12879 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
12883 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
12885 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
12886 + GR_UNIXCONNECT_ACL_MSG);
12889 +/* hardlinks require at minimum create permission,
12890 + any additional privilege required is based on the
12891 + privilege of the file being linked to
12894 +gr_acl_handle_link(const struct dentry * new_dentry,
12895 + const struct dentry * parent_dentry,
12896 + const struct vfsmount * parent_mnt,
12897 + const struct dentry * old_dentry,
12898 + const struct vfsmount * old_mnt, const char *to)
12901 + __u32 needmode = GR_CREATE | GR_LINK;
12902 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
12905 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
12908 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
12909 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
12911 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
12912 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
12914 + } else if (unlikely((mode & needmode) != needmode))
12921 +gr_acl_handle_symlink(const struct dentry * new_dentry,
12922 + const struct dentry * parent_dentry,
12923 + const struct vfsmount * parent_mnt, const char *from)
12925 + __u32 needmode = GR_WRITE | GR_CREATE;
12929 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
12930 + GR_CREATE | GR_AUDIT_CREATE |
12931 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
12933 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
12934 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
12936 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
12937 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
12939 + } else if (unlikely((mode & needmode) != needmode))
12942 + return (GR_WRITE | GR_CREATE);
12945 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
12949 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
12951 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
12952 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
12954 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
12955 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
12957 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
12960 + return (reqmode);
12964 +gr_acl_handle_mknod(const struct dentry * new_dentry,
12965 + const struct dentry * parent_dentry,
12966 + const struct vfsmount * parent_mnt,
12969 + __u32 reqmode = GR_WRITE | GR_CREATE;
12970 + if (unlikely(mode & (S_ISUID | S_ISGID)))
12971 + reqmode |= GR_SETID;
12973 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
12974 + reqmode, GR_MKNOD_ACL_MSG);
12978 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
12979 + const struct dentry *parent_dentry,
12980 + const struct vfsmount *parent_mnt)
12982 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
12983 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
12986 +#define RENAME_CHECK_SUCCESS(old, new) \
12987 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
12988 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
12991 +gr_acl_handle_rename(struct dentry *new_dentry,
12992 + struct dentry *parent_dentry,
12993 + const struct vfsmount *parent_mnt,
12994 + struct dentry *old_dentry,
12995 + struct inode *old_parent_inode,
12996 + struct vfsmount *old_mnt, const char *newname)
12998 + __u32 comp1, comp2;
13001 + if (unlikely(!gr_acl_is_enabled()))
13004 + if (!new_dentry->d_inode) {
13005 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
13006 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
13007 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
13008 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
13009 + GR_DELETE | GR_AUDIT_DELETE |
13010 + GR_AUDIT_READ | GR_AUDIT_WRITE |
13011 + GR_SUPPRESS, old_mnt);
13013 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
13014 + GR_CREATE | GR_DELETE |
13015 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
13016 + GR_AUDIT_READ | GR_AUDIT_WRITE |
13017 + GR_SUPPRESS, parent_mnt);
13019 + gr_search_file(old_dentry,
13020 + GR_READ | GR_WRITE | GR_AUDIT_READ |
13021 + GR_DELETE | GR_AUDIT_DELETE |
13022 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
13025 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
13026 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
13027 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
13028 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
13029 + && !(comp2 & GR_SUPPRESS)) {
13030 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
13032 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
13039 +gr_acl_handle_exit(void)
13043 + struct file *exec_file;
13045 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
13046 + id = current->acl_role_id;
13047 + rolename = current->role->rolename;
13049 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
13052 + write_lock(&grsec_exec_file_lock);
13053 + exec_file = current->exec_file;
13054 + current->exec_file = NULL;
13055 + write_unlock(&grsec_exec_file_lock);
13062 +gr_acl_handle_procpidmem(const struct task_struct *task)
13064 + if (unlikely(!gr_acl_is_enabled()))
13067 + if (task->acl->mode & GR_PROTPROCFD)
13072 diff -urNp linux-2.6.16.12/grsecurity/gracl_ip.c linux-2.6.16.12/grsecurity/gracl_ip.c
13073 --- linux-2.6.16.12/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
13074 +++ linux-2.6.16.12/grsecurity/gracl_ip.c 2006-05-01 20:17:33.000000000 -0400
13076 +#include <linux/kernel.h>
13077 +#include <asm/uaccess.h>
13078 +#include <asm/errno.h>
13079 +#include <net/sock.h>
13080 +#include <linux/file.h>
13081 +#include <linux/fs.h>
13082 +#include <linux/net.h>
13083 +#include <linux/in.h>
13084 +#include <linux/skbuff.h>
13085 +#include <linux/ip.h>
13086 +#include <linux/udp.h>
13087 +#include <linux/smp_lock.h>
13088 +#include <linux/types.h>
13089 +#include <linux/sched.h>
13090 +#include <linux/netdevice.h>
13091 +#include <linux/inetdevice.h>
13092 +#include <linux/gracl.h>
13093 +#include <linux/grsecurity.h>
13094 +#include <linux/grinternal.h>
13096 +#define GR_BIND 0x01
13097 +#define GR_CONNECT 0x02
13098 +#define GR_INVERT 0x04
13100 +static const char * gr_protocols[256] = {
13101 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
13102 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
13103 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
13104 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
13105 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
13106 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
13107 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
13108 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
13109 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
13110 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
13111 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
13112 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
13113 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
13114 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
13115 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
13116 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
13117 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
13118 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
13119 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
13120 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
13121 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
13122 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
13123 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
13124 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
13125 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
13126 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
13127 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
13128 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
13129 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
13130 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
13131 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
13132 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
13135 +static const char * gr_socktypes[11] = {
13136 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
13137 + "unknown:7", "unknown:8", "unknown:9", "packet"
13141 +gr_proto_to_name(unsigned char proto)
13143 + return gr_protocols[proto];
13147 +gr_socktype_to_name(unsigned char type)
13149 + return gr_socktypes[type];
13153 +gr_search_socket(const int domain, const int type, const int protocol)
13155 + struct acl_subject_label *curr;
13157 + if (unlikely(!gr_acl_is_enabled()))
13160 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
13161 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
13162 + goto exit; // let the kernel handle it
13164 + curr = current->acl;
13169 + if ((curr->ip_type & (1 << type)) &&
13170 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
13173 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
13174 + /* we don't place acls on raw sockets , and sometimes
13175 + dgram/ip sockets are opened for ioctl and not
13176 + bind/connect, so we'll fake a bind learn log */
13177 + if (type == SOCK_RAW || type == SOCK_PACKET) {
13178 + __u32 fakeip = 0;
13179 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
13180 + current->role->roletype, current->uid,
13181 + current->gid, current->exec_file ?
13182 + gr_to_filename(current->exec_file->f_dentry,
13183 + current->exec_file->f_vfsmnt) :
13184 + curr->filename, curr->filename,
13185 + NIPQUAD(fakeip), 0, type,
13186 + protocol, GR_CONNECT,
13187 +NIPQUAD(current->signal->curr_ip));
13188 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
13189 + __u32 fakeip = 0;
13190 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
13191 + current->role->roletype, current->uid,
13192 + current->gid, current->exec_file ?
13193 + gr_to_filename(current->exec_file->f_dentry,
13194 + current->exec_file->f_vfsmnt) :
13195 + curr->filename, curr->filename,
13196 + NIPQUAD(fakeip), 0, type,
13197 + protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
13199 + /* we'll log when they use connect or bind */
13203 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
13204 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
13211 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
13213 + if ((ip->mode & mode) &&
13214 + (ip_port >= ip->low) &&
13215 + (ip_port <= ip->high) &&
13216 + ((ntohl(ip_addr) & our_netmask) ==
13217 + (ntohl(our_addr) & our_netmask))
13218 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
13219 + && (ip->type & (1 << type))) {
13220 + if (ip->mode & GR_INVERT)
13221 + return 2; // specifically denied
13223 + return 1; // allowed
13226 + return 0; // not specifically allowed, may continue parsing
13230 +gr_search_connectbind(const int mode, const struct sock *sk,
13231 + const struct sockaddr_in *addr, const int type)
13233 + char iface[IFNAMSIZ] = {0};
13234 + struct acl_subject_label *curr;
13235 + struct acl_ip_label *ip;
13236 + struct net_device *dev;
13237 + struct in_device *idev;
13240 + __u32 ip_addr = 0;
13242 + __u32 our_netmask;
13244 + __u16 ip_port = 0;
13246 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
13249 + curr = current->acl;
13254 + ip_addr = addr->sin_addr.s_addr;
13255 + ip_port = ntohs(addr->sin_port);
13257 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
13258 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
13259 + current->role->roletype, current->uid,
13260 + current->gid, current->exec_file ?
13261 + gr_to_filename(current->exec_file->f_dentry,
13262 + current->exec_file->f_vfsmnt) :
13263 + curr->filename, curr->filename,
13264 + NIPQUAD(ip_addr), ip_port, type,
13265 + sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
13269 + for (i = 0; i < curr->ip_num; i++) {
13270 + ip = *(curr->ips + i);
13271 + if (ip->iface != NULL) {
13272 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
13273 + p = strchr(iface, ':');
13276 + dev = dev_get_by_name(iface);
13279 + idev = in_dev_get(dev);
13280 + if (idev == NULL) {
13286 + if (!strcmp(ip->iface, ifa->ifa_label)) {
13287 + our_addr = ifa->ifa_address;
13288 + our_netmask = 0xffffffff;
13289 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
13291 + rcu_read_unlock();
13292 + in_dev_put(idev);
13295 + } else if (ret == 2) {
13296 + rcu_read_unlock();
13297 + in_dev_put(idev);
13302 + } endfor_ifa(idev);
13303 + rcu_read_unlock();
13304 + in_dev_put(idev);
13307 + our_addr = ip->addr;
13308 + our_netmask = ip->netmask;
13309 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
13312 + else if (ret == 2)
13318 + if (mode == GR_BIND)
13319 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
13320 + else if (mode == GR_CONNECT)
13321 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
13327 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
13329 + return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
13333 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
13335 + return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
13338 +int gr_search_listen(const struct socket *sock)
13340 + struct sock *sk = sock->sk;
13341 + struct sockaddr_in addr;
13343 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
13344 + addr.sin_port = inet_sk(sk)->sport;
13346 + return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
13349 +int gr_search_accept(const struct socket *sock)
13351 + struct sock *sk = sock->sk;
13352 + struct sockaddr_in addr;
13354 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
13355 + addr.sin_port = inet_sk(sk)->sport;
13357 + return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
13361 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
13364 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
13366 + struct sockaddr_in sin;
13367 + const struct inet_sock *inet = inet_sk(sk);
13369 + sin.sin_addr.s_addr = inet->daddr;
13370 + sin.sin_port = inet->dport;
13372 + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
13377 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
13379 + struct sockaddr_in sin;
13381 + if (unlikely(skb->len < sizeof (struct udphdr)))
13382 + return 1; // skip this packet
13384 + sin.sin_addr.s_addr = skb->nh.iph->saddr;
13385 + sin.sin_port = skb->h.uh->source;
13387 + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
13389 diff -urNp linux-2.6.16.12/grsecurity/gracl_learn.c linux-2.6.16.12/grsecurity/gracl_learn.c
13390 --- linux-2.6.16.12/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
13391 +++ linux-2.6.16.12/grsecurity/gracl_learn.c 2006-05-01 20:17:33.000000000 -0400
13393 +#include <linux/kernel.h>
13394 +#include <linux/mm.h>
13395 +#include <linux/sched.h>
13396 +#include <linux/poll.h>
13397 +#include <linux/smp_lock.h>
13398 +#include <linux/string.h>
13399 +#include <linux/file.h>
13400 +#include <linux/types.h>
13401 +#include <linux/vmalloc.h>
13402 +#include <linux/grinternal.h>
13404 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
13405 + size_t count, loff_t *ppos);
13406 +extern int gr_acl_is_enabled(void);
13408 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
13409 +static int gr_learn_attached;
13411 +/* use a 512k buffer */
13412 +#define LEARN_BUFFER_SIZE (512 * 1024)
13414 +static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
13415 +static DECLARE_MUTEX(gr_learn_user_sem);
13417 +/* we need to maintain two buffers, so that the kernel context of grlearn
13418 + uses a semaphore around the userspace copying, and the other kernel contexts
13419 + use a spinlock when copying into the buffer, since they cannot sleep
13421 +static char *learn_buffer;
13422 +static char *learn_buffer_user;
13423 +static int learn_buffer_len;
13424 +static int learn_buffer_user_len;
13427 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
13429 + DECLARE_WAITQUEUE(wait, current);
13430 + ssize_t retval = 0;
13432 + add_wait_queue(&learn_wait, &wait);
13433 + set_current_state(TASK_INTERRUPTIBLE);
13435 + down(&gr_learn_user_sem);
13436 + spin_lock(&gr_learn_lock);
13437 + if (learn_buffer_len)
13439 + spin_unlock(&gr_learn_lock);
13440 + up(&gr_learn_user_sem);
13441 + if (file->f_flags & O_NONBLOCK) {
13442 + retval = -EAGAIN;
13445 + if (signal_pending(current)) {
13446 + retval = -ERESTARTSYS;
13453 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
13454 + learn_buffer_user_len = learn_buffer_len;
13455 + retval = learn_buffer_len;
13456 + learn_buffer_len = 0;
13458 + spin_unlock(&gr_learn_lock);
13460 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
13461 + retval = -EFAULT;
13463 + up(&gr_learn_user_sem);
13465 + set_current_state(TASK_RUNNING);
13466 + remove_wait_queue(&learn_wait, &wait);
13470 +static unsigned int
13471 +poll_learn(struct file * file, poll_table * wait)
13473 + poll_wait(file, &learn_wait, wait);
13475 + if (learn_buffer_len)
13476 + return (POLLIN | POLLRDNORM);
13482 +gr_clear_learn_entries(void)
13486 + down(&gr_learn_user_sem);
13487 + if (learn_buffer != NULL) {
13488 + spin_lock(&gr_learn_lock);
13489 + tmp = learn_buffer;
13490 + learn_buffer = NULL;
13491 + spin_unlock(&gr_learn_lock);
13492 + vfree(learn_buffer);
13494 + if (learn_buffer_user != NULL) {
13495 + vfree(learn_buffer_user);
13496 + learn_buffer_user = NULL;
13498 + learn_buffer_len = 0;
13499 + up(&gr_learn_user_sem);
13505 +gr_add_learn_entry(const char *fmt, ...)
13508 + unsigned int len;
13510 + if (!gr_learn_attached)
13513 + spin_lock(&gr_learn_lock);
13515 + /* leave a gap at the end so we know when it's "full" but don't have to
13516 + compute the exact length of the string we're trying to append
13518 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
13519 + spin_unlock(&gr_learn_lock);
13520 + wake_up_interruptible(&learn_wait);
13523 + if (learn_buffer == NULL) {
13524 + spin_unlock(&gr_learn_lock);
13528 + va_start(args, fmt);
13529 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
13532 + learn_buffer_len += len + 1;
13534 + spin_unlock(&gr_learn_lock);
13535 + wake_up_interruptible(&learn_wait);
13541 +open_learn(struct inode *inode, struct file *file)
13543 + if (file->f_mode & FMODE_READ && gr_learn_attached)
13545 + if (file->f_mode & FMODE_READ) {
13546 + down(&gr_learn_user_sem);
13547 + if (learn_buffer == NULL)
13548 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
13549 + if (learn_buffer_user == NULL)
13550 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
13551 + if (learn_buffer == NULL)
13553 + if (learn_buffer_user == NULL)
13555 + learn_buffer_len = 0;
13556 + learn_buffer_user_len = 0;
13557 + gr_learn_attached = 1;
13558 + up(&gr_learn_user_sem);
13564 +close_learn(struct inode *inode, struct file *file)
13568 + if (file->f_mode & FMODE_READ) {
13569 + down(&gr_learn_user_sem);
13570 + if (learn_buffer != NULL) {
13571 + spin_lock(&gr_learn_lock);
13572 + tmp = learn_buffer;
13573 + learn_buffer = NULL;
13574 + spin_unlock(&gr_learn_lock);
13577 + if (learn_buffer_user != NULL) {
13578 + vfree(learn_buffer_user);
13579 + learn_buffer_user = NULL;
13581 + learn_buffer_len = 0;
13582 + learn_buffer_user_len = 0;
13583 + gr_learn_attached = 0;
13584 + up(&gr_learn_user_sem);
13590 +struct file_operations grsec_fops = {
13591 + .read = read_learn,
13592 + .write = write_grsec_handler,
13593 + .open = open_learn,
13594 + .release = close_learn,
13595 + .poll = poll_learn,
13597 diff -urNp linux-2.6.16.12/grsecurity/gracl_res.c linux-2.6.16.12/grsecurity/gracl_res.c
13598 --- linux-2.6.16.12/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
13599 +++ linux-2.6.16.12/grsecurity/gracl_res.c 2006-05-01 20:17:33.000000000 -0400
13601 +#include <linux/kernel.h>
13602 +#include <linux/sched.h>
13603 +#include <linux/gracl.h>
13604 +#include <linux/grinternal.h>
13606 +static const char *restab_log[] = {
13607 + [RLIMIT_CPU] = "RLIMIT_CPU",
13608 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
13609 + [RLIMIT_DATA] = "RLIMIT_DATA",
13610 + [RLIMIT_STACK] = "RLIMIT_STACK",
13611 + [RLIMIT_CORE] = "RLIMIT_CORE",
13612 + [RLIMIT_RSS] = "RLIMIT_RSS",
13613 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
13614 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
13615 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
13616 + [RLIMIT_AS] = "RLIMIT_AS",
13617 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
13618 + [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
13622 +gr_log_resource(const struct task_struct *task,
13623 + const int res, const unsigned long wanted, const int gt)
13625 + if (res == RLIMIT_NPROC &&
13626 + (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
13627 + cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
13629 + else if (res == RLIMIT_MEMLOCK &&
13630 + cap_raised(task->cap_effective, CAP_IPC_LOCK))
13633 + preempt_disable();
13635 + if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
13636 + (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
13637 + task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
13638 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
13639 + preempt_enable_no_resched();
13643 diff -urNp linux-2.6.16.12/grsecurity/gracl_segv.c linux-2.6.16.12/grsecurity/gracl_segv.c
13644 --- linux-2.6.16.12/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
13645 +++ linux-2.6.16.12/grsecurity/gracl_segv.c 2006-05-01 20:17:33.000000000 -0400
13647 +#include <linux/kernel.h>
13648 +#include <linux/mm.h>
13649 +#include <asm/uaccess.h>
13650 +#include <asm/errno.h>
13651 +#include <asm/mman.h>
13652 +#include <net/sock.h>
13653 +#include <linux/file.h>
13654 +#include <linux/fs.h>
13655 +#include <linux/net.h>
13656 +#include <linux/in.h>
13657 +#include <linux/smp_lock.h>
13658 +#include <linux/slab.h>
13659 +#include <linux/types.h>
13660 +#include <linux/sched.h>
13661 +#include <linux/timer.h>
13662 +#include <linux/gracl.h>
13663 +#include <linux/grsecurity.h>
13664 +#include <linux/grinternal.h>
13666 +static struct crash_uid *uid_set;
13667 +static unsigned short uid_used;
13668 +static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
13669 +extern rwlock_t gr_inode_lock;
13670 +extern struct acl_subject_label *
13671 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
13672 + struct acl_role_label *role);
13673 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
13676 +gr_init_uidset(void)
13679 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
13682 + return uid_set ? 1 : 0;
13686 +gr_free_uidset(void)
13695 +gr_find_uid(const uid_t uid)
13697 + struct crash_uid *tmp = uid_set;
13699 + int low = 0, high = uid_used - 1, mid;
13701 + while (high >= low) {
13702 + mid = (low + high) >> 1;
13703 + buid = tmp[mid].uid;
13715 +static __inline__ void
13716 +gr_insertsort(void)
13718 + unsigned short i, j;
13719 + struct crash_uid index;
13721 + for (i = 1; i < uid_used; i++) {
13722 + index = uid_set[i];
13724 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
13725 + uid_set[j] = uid_set[j - 1];
13728 + uid_set[j] = index;
13734 +static __inline__ void
13735 +gr_insert_uid(const uid_t uid, const unsigned long expires)
13739 + if (uid_used == GR_UIDTABLE_MAX)
13742 + loc = gr_find_uid(uid);
13745 + uid_set[loc].expires = expires;
13749 + uid_set[uid_used].uid = uid;
13750 + uid_set[uid_used].expires = expires;
13759 +gr_remove_uid(const unsigned short loc)
13761 + unsigned short i;
13763 + for (i = loc + 1; i < uid_used; i++)
13764 + uid_set[i - 1] = uid_set[i];
13772 +gr_check_crash_uid(const uid_t uid)
13777 + if (unlikely(!gr_acl_is_enabled()))
13780 + spin_lock(&gr_uid_lock);
13781 + loc = gr_find_uid(uid);
13786 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
13787 + gr_remove_uid(loc);
13792 + spin_unlock(&gr_uid_lock);
13796 +static __inline__ int
13797 +proc_is_setxid(const struct task_struct *task)
13799 + if (task->uid != task->euid || task->uid != task->suid ||
13800 + task->uid != task->fsuid)
13802 + if (task->gid != task->egid || task->gid != task->sgid ||
13803 + task->gid != task->fsgid)
13808 +static __inline__ int
13809 +gr_fake_force_sig(int sig, struct task_struct *t)
13811 + unsigned long int flags;
13814 + spin_lock_irqsave(&t->sighand->siglock, flags);
13815 + if (sigismember(&t->blocked, sig) || t->sighand->action[sig-1].sa.sa_handler == SIG_IGN) {
13816 + t->sighand->action[sig-1].sa.sa_handler = SIG_DFL;
13817 + sigdelset(&t->blocked, sig);
13818 + recalc_sigpending_tsk(t);
13820 + ret = specific_send_sig_info(sig, (void*)1L, t);
13821 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
13827 +gr_handle_crash(struct task_struct *task, const int sig)
13829 + struct acl_subject_label *curr;
13830 + struct acl_subject_label *curr2;
13831 + struct task_struct *tsk, *tsk2;
13833 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
13836 + if (unlikely(!gr_acl_is_enabled()))
13839 + curr = task->acl;
13841 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
13844 + if (time_before_eq(curr->expires, get_seconds())) {
13845 + curr->expires = 0;
13846 + curr->crashes = 0;
13851 + if (!curr->expires)
13852 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
13854 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
13855 + time_after(curr->expires, get_seconds())) {
13856 + if (task->uid && proc_is_setxid(task)) {
13857 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
13858 + spin_lock(&gr_uid_lock);
13859 + gr_insert_uid(task->uid, curr->expires);
13860 + spin_unlock(&gr_uid_lock);
13861 + curr->expires = 0;
13862 + curr->crashes = 0;
13863 + read_lock(&tasklist_lock);
13864 + do_each_thread(tsk2, tsk) {
13865 + if (tsk != task && tsk->uid == task->uid)
13866 + gr_fake_force_sig(SIGKILL, tsk);
13867 + } while_each_thread(tsk2, tsk);
13868 + read_unlock(&tasklist_lock);
13870 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
13871 + read_lock(&tasklist_lock);
13872 + do_each_thread(tsk2, tsk) {
13873 + if (likely(tsk != task)) {
13874 + curr2 = tsk->acl;
13876 + if (curr2->device == curr->device &&
13877 + curr2->inode == curr->inode)
13878 + gr_fake_force_sig(SIGKILL, tsk);
13880 + } while_each_thread(tsk2, tsk);
13881 + read_unlock(&tasklist_lock);
13889 +gr_check_crash_exec(const struct file *filp)
13891 + struct acl_subject_label *curr;
13893 + if (unlikely(!gr_acl_is_enabled()))
13896 + read_lock(&gr_inode_lock);
13897 + curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
13898 + filp->f_dentry->d_inode->i_sb->s_dev,
13900 + read_unlock(&gr_inode_lock);
13902 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
13903 + (!curr->crashes && !curr->expires))
13906 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
13907 + time_after(curr->expires, get_seconds()))
13909 + else if (time_before_eq(curr->expires, get_seconds())) {
13910 + curr->crashes = 0;
13911 + curr->expires = 0;
13918 +gr_handle_alertkill(struct task_struct *task)
13920 + struct acl_subject_label *curracl;
13922 + struct task_struct *p, *p2;
13924 + if (unlikely(!gr_acl_is_enabled()))
13927 + curracl = task->acl;
13928 + curr_ip = task->signal->curr_ip;
13930 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
13931 + read_lock(&tasklist_lock);
13932 + do_each_thread(p2, p) {
13933 + if (p->signal->curr_ip == curr_ip)
13934 + gr_fake_force_sig(SIGKILL, p);
13935 + } while_each_thread(p2, p);
13936 + read_unlock(&tasklist_lock);
13937 + } else if (curracl->mode & GR_KILLPROC)
13938 + gr_fake_force_sig(SIGKILL, task);
13942 diff -urNp linux-2.6.16.12/grsecurity/gracl_shm.c linux-2.6.16.12/grsecurity/gracl_shm.c
13943 --- linux-2.6.16.12/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
13944 +++ linux-2.6.16.12/grsecurity/gracl_shm.c 2006-05-01 20:17:34.000000000 -0400
13946 +#include <linux/kernel.h>
13947 +#include <linux/mm.h>
13948 +#include <linux/sched.h>
13949 +#include <linux/file.h>
13950 +#include <linux/ipc.h>
13951 +#include <linux/gracl.h>
13952 +#include <linux/grsecurity.h>
13953 +#include <linux/grinternal.h>
13954 +#include <linux/vs_pid.h>
13957 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
13958 + const time_t shm_createtime, const uid_t cuid, const int shmid)
13960 + struct task_struct *task;
13962 + if (!gr_acl_is_enabled())
13965 + task = find_task_by_pid(shm_cprid);
13967 + if (unlikely(!task))
13968 + task = find_task_by_pid(shm_lapid);
13970 + if (unlikely(task && (time_before((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
13971 + (task->pid == shm_lapid)) &&
13972 + (task->acl->mode & GR_PROTSHM) &&
13973 + (task->acl != current->acl))) {
13974 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
13980 diff -urNp linux-2.6.16.12/grsecurity/grsec_chdir.c linux-2.6.16.12/grsecurity/grsec_chdir.c
13981 --- linux-2.6.16.12/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
13982 +++ linux-2.6.16.12/grsecurity/grsec_chdir.c 2006-05-01 20:17:34.000000000 -0400
13984 +#include <linux/kernel.h>
13985 +#include <linux/sched.h>
13986 +#include <linux/fs.h>
13987 +#include <linux/file.h>
13988 +#include <linux/grsecurity.h>
13989 +#include <linux/grinternal.h>
13992 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
13994 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
13995 + if ((grsec_enable_chdir && grsec_enable_group &&
13996 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
13997 + !grsec_enable_group)) {
13998 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
14003 diff -urNp linux-2.6.16.12/grsecurity/grsec_chroot.c linux-2.6.16.12/grsecurity/grsec_chroot.c
14004 --- linux-2.6.16.12/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
14005 +++ linux-2.6.16.12/grsecurity/grsec_chroot.c 2006-05-01 20:17:34.000000000 -0400
14007 +#include <linux/kernel.h>
14008 +#include <linux/module.h>
14009 +#include <linux/sched.h>
14010 +#include <linux/file.h>
14011 +#include <linux/fs.h>
14012 +#include <linux/mount.h>
14013 +#include <linux/types.h>
14014 +#include <linux/grinternal.h>
14017 +gr_handle_chroot_unix(const pid_t pid)
14019 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
14020 + struct pid *spid = NULL;
14022 + if (unlikely(!grsec_enable_chroot_unix))
14025 + if (likely(!proc_is_chrooted(current)))
14028 + read_lock(&tasklist_lock);
14030 + spid = find_pid(PIDTYPE_PID, pid);
14032 + struct task_struct *p;
14033 + p = pid_task(&spid->pid_list, PIDTYPE_PID);
14035 + if (unlikely(!have_same_root(current, p))) {
14037 + read_unlock(&tasklist_lock);
14038 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
14043 + read_unlock(&tasklist_lock);
14049 +gr_handle_chroot_nice(void)
14051 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
14052 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
14053 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
14061 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
14063 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
14064 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
14065 + && proc_is_chrooted(current)) {
14066 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
14074 +gr_handle_chroot_rawio(const struct inode *inode)
14076 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
14077 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
14078 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
14085 +gr_pid_is_chrooted(struct task_struct *p)
14087 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
14088 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !p)
14092 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
14093 + !have_same_root(current, p)) {
14102 +EXPORT_SYMBOL(gr_pid_is_chrooted);
14104 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
14105 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
14107 + struct dentry *dentry = (struct dentry *)u_dentry;
14108 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
14109 + struct dentry *realroot;
14110 + struct vfsmount *realrootmnt;
14111 + struct dentry *currentroot;
14112 + struct vfsmount *currentmnt;
14115 + read_lock(&child_reaper->fs->lock);
14116 + realrootmnt = mntget(child_reaper->fs->rootmnt);
14117 + realroot = dget(child_reaper->fs->root);
14118 + read_unlock(&child_reaper->fs->lock);
14120 + read_lock(¤t->fs->lock);
14121 + currentmnt = mntget(current->fs->rootmnt);
14122 + currentroot = dget(current->fs->root);
14123 + read_unlock(¤t->fs->lock);
14125 + spin_lock(&dcache_lock);
14127 + if (unlikely((dentry == realroot && mnt == realrootmnt)
14128 + || (dentry == currentroot && mnt == currentmnt)))
14130 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
14131 + if (mnt->mnt_parent == mnt)
14133 + dentry = mnt->mnt_mountpoint;
14134 + mnt = mnt->mnt_parent;
14137 + dentry = dentry->d_parent;
14139 + spin_unlock(&dcache_lock);
14141 + dput(currentroot);
14142 + mntput(currentmnt);
14144 + /* access is outside of chroot */
14145 + if (dentry == realroot && mnt == realrootmnt)
14149 + mntput(realrootmnt);
14155 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
14157 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
14158 + if (!grsec_enable_chroot_fchdir)
14161 + if (!proc_is_chrooted(current))
14163 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
14164 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
14172 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
14173 + const time_t shm_createtime)
14175 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
14176 + struct pid *pid = NULL;
14177 + time_t starttime;
14179 + if (unlikely(!grsec_enable_chroot_shmat))
14182 + if (likely(!proc_is_chrooted(current)))
14185 + read_lock(&tasklist_lock);
14187 + pid = find_pid(PIDTYPE_PID, shm_cprid);
14189 + struct task_struct *p;
14190 + p = pid_task(&pid->pid_list, PIDTYPE_PID);
14192 + starttime = p->start_time.tv_sec;
14193 + if (unlikely(!have_same_root(current, p) &&
14194 + time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
14196 + read_unlock(&tasklist_lock);
14197 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
14202 + pid = find_pid(PIDTYPE_PID, shm_lapid);
14204 + struct task_struct *p;
14205 + p = pid_task(&pid->pid_list, PIDTYPE_PID);
14207 + if (unlikely(!have_same_root(current, p))) {
14209 + read_unlock(&tasklist_lock);
14210 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
14217 + read_unlock(&tasklist_lock);
14223 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
14225 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
14226 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
14227 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
14233 +gr_handle_chroot_mknod(const struct dentry *dentry,
14234 + const struct vfsmount *mnt, const int mode)
14236 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
14237 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
14238 + proc_is_chrooted(current)) {
14239 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
14247 +gr_handle_chroot_mount(const struct dentry *dentry,
14248 + const struct vfsmount *mnt, const char *dev_name)
14250 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
14251 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
14252 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
14260 +gr_handle_chroot_pivot(void)
14262 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
14263 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
14264 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
14272 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
14274 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
14275 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
14276 + !gr_is_outside_chroot(dentry, mnt)) {
14277 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
14285 +gr_handle_chroot_caps(struct task_struct *task)
14287 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
14288 + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
14289 + task->cap_permitted =
14290 + cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
14291 + task->cap_inheritable =
14292 + cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
14293 + task->cap_effective =
14294 + cap_drop(task->cap_effective, GR_CHROOT_CAPS);
14301 +gr_handle_chroot_sysctl(const int op)
14303 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
14304 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
14312 +gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
14314 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
14315 + if (grsec_enable_chroot_chdir)
14316 + set_fs_pwd(current->fs, mnt, dentry);
14322 +gr_handle_chroot_chmod(const struct dentry *dentry,
14323 + const struct vfsmount *mnt, const int mode)
14325 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
14326 + if (grsec_enable_chroot_chmod &&
14327 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
14328 + proc_is_chrooted(current)) {
14329 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
14336 +#ifdef CONFIG_SECURITY
14337 +EXPORT_SYMBOL(gr_handle_chroot_caps);
14339 diff -urNp linux-2.6.16.12/grsecurity/grsec_disabled.c linux-2.6.16.12/grsecurity/grsec_disabled.c
14340 --- linux-2.6.16.12/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
14341 +++ linux-2.6.16.12/grsecurity/grsec_disabled.c 2006-05-01 20:17:34.000000000 -0400
14343 +#include <linux/kernel.h>
14344 +#include <linux/module.h>
14345 +#include <linux/config.h>
14346 +#include <linux/sched.h>
14347 +#include <linux/file.h>
14348 +#include <linux/fs.h>
14349 +#include <linux/kdev_t.h>
14350 +#include <linux/net.h>
14351 +#include <linux/in.h>
14352 +#include <linux/ip.h>
14353 +#include <linux/skbuff.h>
14354 +#include <linux/sysctl.h>
14356 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
14358 +pax_set_initial_flags(struct linux_binprm *bprm)
14364 +#ifdef CONFIG_SYSCTL
14366 +gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
14373 +gr_acl_is_enabled(void)
14379 +gr_handle_rawio(const struct inode *inode)
14385 +gr_acl_handle_psacct(struct task_struct *task, const long code)
14391 +gr_handle_ptrace(struct task_struct *task, const long request)
14397 +gr_handle_proc_ptrace(struct task_struct *task)
14403 +gr_learn_resource(const struct task_struct *task,
14404 + const int res, const unsigned long wanted, const int gt)
14410 +gr_set_acls(const int type)
14416 +gr_check_hidden_task(const struct task_struct *tsk)
14422 +gr_check_protected_task(const struct task_struct *task)
14428 +gr_copy_label(struct task_struct *tsk)
14434 +gr_set_pax_flags(struct task_struct *task)
14440 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
14446 +gr_handle_delete(const ino_t ino, const dev_t dev)
14452 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
14458 +gr_handle_crash(struct task_struct *task, const int sig)
14464 +gr_check_crash_exec(const struct file *filp)
14470 +gr_check_crash_uid(const uid_t uid)
14476 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
14477 + struct dentry *old_dentry,
14478 + struct dentry *new_dentry,
14479 + struct vfsmount *mnt, const __u8 replace)
14485 +gr_search_socket(const int family, const int type, const int protocol)
14491 +gr_search_connectbind(const int mode, const struct socket *sock,
14492 + const struct sockaddr_in *addr)
14498 +gr_task_is_capable(struct task_struct *task, const int cap)
14504 +gr_is_capable_nolog(const int cap)
14510 +gr_handle_alertkill(struct task_struct *task)
14516 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
14522 +gr_acl_handle_hidden_file(const struct dentry * dentry,
14523 + const struct vfsmount * mnt)
14529 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
14536 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
14542 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
14548 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
14549 + unsigned int *vm_flags)
14555 +gr_acl_handle_truncate(const struct dentry * dentry,
14556 + const struct vfsmount * mnt)
14562 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
14568 +gr_acl_handle_access(const struct dentry * dentry,
14569 + const struct vfsmount * mnt, const int fmode)
14575 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
14582 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
14589 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
14595 +grsecurity_init(void)
14601 +gr_acl_handle_mknod(const struct dentry * new_dentry,
14602 + const struct dentry * parent_dentry,
14603 + const struct vfsmount * parent_mnt,
14610 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
14611 + const struct dentry * parent_dentry,
14612 + const struct vfsmount * parent_mnt)
14618 +gr_acl_handle_symlink(const struct dentry * new_dentry,
14619 + const struct dentry * parent_dentry,
14620 + const struct vfsmount * parent_mnt, const char *from)
14626 +gr_acl_handle_link(const struct dentry * new_dentry,
14627 + const struct dentry * parent_dentry,
14628 + const struct vfsmount * parent_mnt,
14629 + const struct dentry * old_dentry,
14630 + const struct vfsmount * old_mnt, const char *to)
14636 +gr_acl_handle_rename(const struct dentry *new_dentry,
14637 + const struct dentry *parent_dentry,
14638 + const struct vfsmount *parent_mnt,
14639 + const struct dentry *old_dentry,
14640 + const struct inode *old_parent_inode,
14641 + const struct vfsmount *old_mnt, const char *newname)
14647 +gr_acl_handle_filldir(const struct file *file, const char *name,
14648 + const int namelen, const ino_t ino)
14654 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
14655 + const time_t shm_createtime, const uid_t cuid, const int shmid)
14661 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
14667 +gr_search_accept(const struct socket *sock)
14673 +gr_search_listen(const struct socket *sock)
14679 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
14685 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
14691 +gr_acl_handle_creat(const struct dentry * dentry,
14692 + const struct dentry * p_dentry,
14693 + const struct vfsmount * p_mnt, const int fmode,
14700 +gr_acl_handle_exit(void)
14706 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
14712 +gr_set_role_label(const uid_t uid, const gid_t gid)
14718 +gr_acl_handle_procpidmem(const struct task_struct *task)
14724 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
14730 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
14736 +gr_set_kernel_label(struct task_struct *task)
14742 +gr_check_user_change(int real, int effective, int fs)
14748 +gr_check_group_change(int real, int effective, int fs)
14754 +EXPORT_SYMBOL(gr_task_is_capable);
14755 +EXPORT_SYMBOL(gr_learn_resource);
14756 +EXPORT_SYMBOL(gr_set_kernel_label);
14757 +#ifdef CONFIG_SECURITY
14758 +EXPORT_SYMBOL(gr_check_user_change);
14759 +EXPORT_SYMBOL(gr_check_group_change);
14761 diff -urNp linux-2.6.16.12/grsecurity/grsec_exec.c linux-2.6.16.12/grsecurity/grsec_exec.c
14762 --- linux-2.6.16.12/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
14763 +++ linux-2.6.16.12/grsecurity/grsec_exec.c 2006-05-01 20:17:34.000000000 -0400
14765 +#include <linux/kernel.h>
14766 +#include <linux/sched.h>
14767 +#include <linux/file.h>
14768 +#include <linux/binfmts.h>
14769 +#include <linux/smp_lock.h>
14770 +#include <linux/fs.h>
14771 +#include <linux/types.h>
14772 +#include <linux/grdefs.h>
14773 +#include <linux/grinternal.h>
14774 +#include <linux/capability.h>
14776 +#include <asm/uaccess.h>
14778 +#ifdef CONFIG_GRKERNSEC_EXECLOG
14779 +static char gr_exec_arg_buf[132];
14780 +static DECLARE_MUTEX(gr_exec_arg_sem);
14784 +gr_handle_nproc(void)
14786 +#ifdef CONFIG_GRKERNSEC_EXECVE
14787 + if (grsec_enable_execve && current->user &&
14788 + (atomic_read(¤t->user->processes) >
14789 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
14790 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
14791 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
14799 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
14801 +#ifdef CONFIG_GRKERNSEC_EXECLOG
14802 + char *grarg = gr_exec_arg_buf;
14803 + unsigned int i, x, execlen = 0;
14806 + if (!((grsec_enable_execlog && grsec_enable_group &&
14807 + in_group_p(grsec_audit_gid))
14808 + || (grsec_enable_execlog && !grsec_enable_group)))
14811 + down(&gr_exec_arg_sem);
14812 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
14814 + if (unlikely(argv == NULL))
14817 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
14818 + const char __user *p;
14819 + unsigned int len;
14821 + if (copy_from_user(&p, argv + i, sizeof(p)))
14825 + len = strnlen_user(p, 128 - execlen);
14826 + if (len > 128 - execlen)
14827 + len = 128 - execlen;
14828 + else if (len > 0)
14830 + if (copy_from_user(grarg + execlen, p, len))
14833 + /* rewrite unprintable characters */
14834 + for (x = 0; x < len; x++) {
14835 + c = *(grarg + execlen + x);
14836 + if (c < 32 || c > 126)
14837 + *(grarg + execlen + x) = ' ';
14841 + *(grarg + execlen) = ' ';
14842 + *(grarg + execlen + 1) = '\0';
14847 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
14848 + bprm->file->f_vfsmnt, grarg);
14849 + up(&gr_exec_arg_sem);
14853 diff -urNp linux-2.6.16.12/grsecurity/grsec_fifo.c linux-2.6.16.12/grsecurity/grsec_fifo.c
14854 --- linux-2.6.16.12/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
14855 +++ linux-2.6.16.12/grsecurity/grsec_fifo.c 2006-05-01 20:17:34.000000000 -0400
14857 +#include <linux/kernel.h>
14858 +#include <linux/sched.h>
14859 +#include <linux/fs.h>
14860 +#include <linux/file.h>
14861 +#include <linux/grinternal.h>
14864 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
14865 + const struct dentry *dir, const int flag, const int acc_mode)
14867 +#ifdef CONFIG_GRKERNSEC_FIFO
14868 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
14869 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
14870 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
14871 + (current->fsuid != dentry->d_inode->i_uid)) {
14872 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
14873 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
14879 diff -urNp linux-2.6.16.12/grsecurity/grsec_fork.c linux-2.6.16.12/grsecurity/grsec_fork.c
14880 --- linux-2.6.16.12/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
14881 +++ linux-2.6.16.12/grsecurity/grsec_fork.c 2006-05-01 20:17:34.000000000 -0400
14883 +#include <linux/kernel.h>
14884 +#include <linux/sched.h>
14885 +#include <linux/grsecurity.h>
14886 +#include <linux/grinternal.h>
14889 +gr_log_forkfail(const int retval)
14891 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
14892 + if (grsec_enable_forkfail)
14893 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
14897 diff -urNp linux-2.6.16.12/grsecurity/grsec_init.c linux-2.6.16.12/grsecurity/grsec_init.c
14898 --- linux-2.6.16.12/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
14899 +++ linux-2.6.16.12/grsecurity/grsec_init.c 2006-05-01 20:17:34.000000000 -0400
14901 +#include <linux/kernel.h>
14902 +#include <linux/sched.h>
14903 +#include <linux/mm.h>
14904 +#include <linux/smp_lock.h>
14905 +#include <linux/gracl.h>
14906 +#include <linux/slab.h>
14907 +#include <linux/vmalloc.h>
14908 +#include <linux/percpu.h>
14910 +int grsec_enable_shm;
14911 +int grsec_enable_link;
14912 +int grsec_enable_dmesg;
14913 +int grsec_enable_fifo;
14914 +int grsec_enable_execve;
14915 +int grsec_enable_execlog;
14916 +int grsec_enable_signal;
14917 +int grsec_enable_forkfail;
14918 +int grsec_enable_time;
14919 +int grsec_enable_audit_textrel;
14920 +int grsec_enable_group;
14921 +int grsec_audit_gid;
14922 +int grsec_enable_chdir;
14923 +int grsec_enable_audit_ipc;
14924 +int grsec_enable_mount;
14925 +int grsec_enable_chroot_findtask;
14926 +int grsec_enable_chroot_mount;
14927 +int grsec_enable_chroot_shmat;
14928 +int grsec_enable_chroot_fchdir;
14929 +int grsec_enable_chroot_double;
14930 +int grsec_enable_chroot_pivot;
14931 +int grsec_enable_chroot_chdir;
14932 +int grsec_enable_chroot_chmod;
14933 +int grsec_enable_chroot_mknod;
14934 +int grsec_enable_chroot_nice;
14935 +int grsec_enable_chroot_execlog;
14936 +int grsec_enable_chroot_caps;
14937 +int grsec_enable_chroot_sysctl;
14938 +int grsec_enable_chroot_unix;
14939 +int grsec_enable_tpe;
14940 +int grsec_tpe_gid;
14941 +int grsec_enable_tpe_all;
14942 +int grsec_enable_randpid;
14943 +int grsec_enable_socket_all;
14944 +int grsec_socket_all_gid;
14945 +int grsec_enable_socket_client;
14946 +int grsec_socket_client_gid;
14947 +int grsec_enable_socket_server;
14948 +int grsec_socket_server_gid;
14951 +spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
14952 +unsigned long grsec_alert_wtime = 0;
14953 +unsigned long grsec_alert_fyet = 0;
14955 +spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
14957 +rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
14959 +char *gr_shared_page[4];
14961 +char *gr_alert_log_fmt;
14962 +char *gr_audit_log_fmt;
14963 +char *gr_alert_log_buf;
14964 +char *gr_audit_log_buf;
14966 +extern struct gr_arg *gr_usermode;
14967 +extern unsigned char *gr_system_salt;
14968 +extern unsigned char *gr_system_sum;
14971 +grsecurity_init(void)
14974 + /* create the per-cpu shared pages */
14976 + preempt_disable();
14977 + for (j = 0; j < 4; j++) {
14978 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
14979 + if (gr_shared_page[j] == NULL) {
14980 + panic("Unable to allocate grsecurity shared page");
14984 + preempt_enable();
14986 + /* allocate log buffers */
14987 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
14988 + if (!gr_alert_log_fmt) {
14989 + panic("Unable to allocate grsecurity alert log format buffer");
14992 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
14993 + if (!gr_audit_log_fmt) {
14994 + panic("Unable to allocate grsecurity audit log format buffer");
14997 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
14998 + if (!gr_alert_log_buf) {
14999 + panic("Unable to allocate grsecurity alert log buffer");
15002 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
15003 + if (!gr_audit_log_buf) {
15004 + panic("Unable to allocate grsecurity audit log buffer");
15008 + /* allocate memory for authentication structure */
15009 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
15010 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
15011 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
15013 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
15014 + panic("Unable to allocate grsecurity authentication structure");
15018 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
15019 +#ifndef CONFIG_GRKERNSEC_SYSCTL
15022 +#ifdef CONFIG_GRKERNSEC_SHM
15023 + grsec_enable_shm = 1;
15025 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
15026 + grsec_enable_audit_textrel = 1;
15028 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
15029 + grsec_enable_group = 1;
15030 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
15032 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
15033 + grsec_enable_chdir = 1;
15035 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15036 + grsec_enable_audit_ipc = 1;
15038 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
15039 + grsec_enable_mount = 1;
15041 +#ifdef CONFIG_GRKERNSEC_LINK
15042 + grsec_enable_link = 1;
15044 +#ifdef CONFIG_GRKERNSEC_DMESG
15045 + grsec_enable_dmesg = 1;
15047 +#ifdef CONFIG_GRKERNSEC_FIFO
15048 + grsec_enable_fifo = 1;
15050 +#ifdef CONFIG_GRKERNSEC_EXECVE
15051 + grsec_enable_execve = 1;
15053 +#ifdef CONFIG_GRKERNSEC_EXECLOG
15054 + grsec_enable_execlog = 1;
15056 +#ifdef CONFIG_GRKERNSEC_SIGNAL
15057 + grsec_enable_signal = 1;
15059 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
15060 + grsec_enable_forkfail = 1;
15062 +#ifdef CONFIG_GRKERNSEC_TIME
15063 + grsec_enable_time = 1;
15065 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
15066 + grsec_enable_chroot_findtask = 1;
15068 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
15069 + grsec_enable_chroot_unix = 1;
15071 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
15072 + grsec_enable_chroot_mount = 1;
15074 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
15075 + grsec_enable_chroot_fchdir = 1;
15077 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
15078 + grsec_enable_chroot_shmat = 1;
15080 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
15081 + grsec_enable_chroot_double = 1;
15083 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
15084 + grsec_enable_chroot_pivot = 1;
15086 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
15087 + grsec_enable_chroot_chdir = 1;
15089 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
15090 + grsec_enable_chroot_chmod = 1;
15092 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
15093 + grsec_enable_chroot_mknod = 1;
15095 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
15096 + grsec_enable_chroot_nice = 1;
15098 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
15099 + grsec_enable_chroot_execlog = 1;
15101 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
15102 + grsec_enable_chroot_caps = 1;
15104 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
15105 + grsec_enable_chroot_sysctl = 1;
15107 +#ifdef CONFIG_GRKERNSEC_TPE
15108 + grsec_enable_tpe = 1;
15109 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
15110 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
15111 + grsec_enable_tpe_all = 1;
15114 +#ifdef CONFIG_GRKERNSEC_RANDPID
15115 + grsec_enable_randpid = 1;
15117 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
15118 + grsec_enable_socket_all = 1;
15119 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
15121 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
15122 + grsec_enable_socket_client = 1;
15123 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
15125 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
15126 + grsec_enable_socket_server = 1;
15127 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
15133 diff -urNp linux-2.6.16.12/grsecurity/grsec_ipc.c linux-2.6.16.12/grsecurity/grsec_ipc.c
15134 --- linux-2.6.16.12/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
15135 +++ linux-2.6.16.12/grsecurity/grsec_ipc.c 2006-05-01 20:17:34.000000000 -0400
15137 +#include <linux/kernel.h>
15138 +#include <linux/sched.h>
15139 +#include <linux/types.h>
15140 +#include <linux/ipc.h>
15141 +#include <linux/grsecurity.h>
15142 +#include <linux/grinternal.h>
15145 +gr_log_msgget(const int ret, const int msgflg)
15147 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15148 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15149 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
15150 + !grsec_enable_group)) && (ret >= 0)
15151 + && (msgflg & IPC_CREAT))
15152 + gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
15158 +gr_log_msgrm(const uid_t uid, const uid_t cuid)
15160 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15161 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15162 + grsec_enable_audit_ipc) ||
15163 + (grsec_enable_audit_ipc && !grsec_enable_group))
15164 + gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
15170 +gr_log_semget(const int err, const int semflg)
15172 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15173 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15174 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
15175 + !grsec_enable_group)) && (err >= 0)
15176 + && (semflg & IPC_CREAT))
15177 + gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
15183 +gr_log_semrm(const uid_t uid, const uid_t cuid)
15185 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15186 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15187 + grsec_enable_audit_ipc) ||
15188 + (grsec_enable_audit_ipc && !grsec_enable_group))
15189 + gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
15195 +gr_log_shmget(const int err, const int shmflg, const size_t size)
15197 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15198 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15199 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
15200 + !grsec_enable_group)) && (err >= 0)
15201 + && (shmflg & IPC_CREAT))
15202 + gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
15208 +gr_log_shmrm(const uid_t uid, const uid_t cuid)
15210 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
15211 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
15212 + grsec_enable_audit_ipc) ||
15213 + (grsec_enable_audit_ipc && !grsec_enable_group))
15214 + gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
15218 diff -urNp linux-2.6.16.12/grsecurity/grsec_link.c linux-2.6.16.12/grsecurity/grsec_link.c
15219 --- linux-2.6.16.12/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
15220 +++ linux-2.6.16.12/grsecurity/grsec_link.c 2006-05-01 20:17:34.000000000 -0400
15222 +#include <linux/kernel.h>
15223 +#include <linux/sched.h>
15224 +#include <linux/fs.h>
15225 +#include <linux/file.h>
15226 +#include <linux/grinternal.h>
15229 +gr_handle_follow_link(const struct inode *parent,
15230 + const struct inode *inode,
15231 + const struct dentry *dentry, const struct vfsmount *mnt)
15233 +#ifdef CONFIG_GRKERNSEC_LINK
15234 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
15235 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
15236 + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
15237 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
15245 +gr_handle_hardlink(const struct dentry *dentry,
15246 + const struct vfsmount *mnt,
15247 + struct inode *inode, const int mode, const char *to)
15249 +#ifdef CONFIG_GRKERNSEC_LINK
15250 + if (grsec_enable_link && current->fsuid != inode->i_uid &&
15251 + (!S_ISREG(mode) || (mode & S_ISUID) ||
15252 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
15253 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
15254 + !capable(CAP_FOWNER) && current->uid) {
15255 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
15261 diff -urNp linux-2.6.16.12/grsecurity/grsec_log.c linux-2.6.16.12/grsecurity/grsec_log.c
15262 --- linux-2.6.16.12/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
15263 +++ linux-2.6.16.12/grsecurity/grsec_log.c 2006-05-01 20:17:34.000000000 -0400
15265 +#include <linux/kernel.h>
15266 +#include <linux/sched.h>
15267 +#include <linux/file.h>
15268 +#include <linux/tty.h>
15269 +#include <linux/fs.h>
15270 +#include <linux/grinternal.h>
15272 +#define BEGIN_LOCKS(x) \
15273 + read_lock(&tasklist_lock); \
15274 + read_lock(&grsec_exec_file_lock); \
15275 + if (x != GR_DO_AUDIT) \
15276 + spin_lock(&grsec_alert_lock); \
15278 + spin_lock(&grsec_audit_lock)
15280 +#define END_LOCKS(x) \
15281 + if (x != GR_DO_AUDIT) \
15282 + spin_unlock(&grsec_alert_lock); \
15284 + spin_unlock(&grsec_audit_lock); \
15285 + read_unlock(&grsec_exec_file_lock); \
15286 + read_unlock(&tasklist_lock); \
15287 + if (x == GR_DONT_AUDIT) \
15288 + gr_handle_alertkill(current)
15295 +extern char *gr_alert_log_fmt;
15296 +extern char *gr_audit_log_fmt;
15297 +extern char *gr_alert_log_buf;
15298 +extern char *gr_audit_log_buf;
15300 +static int gr_log_start(int audit)
15302 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
15303 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
15304 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
15306 + if (audit == GR_DO_AUDIT)
15309 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
15310 + grsec_alert_wtime = jiffies;
15311 + grsec_alert_fyet = 0;
15312 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
15313 + grsec_alert_fyet++;
15314 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
15315 + grsec_alert_wtime = jiffies;
15316 + grsec_alert_fyet++;
15317 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
15319 + } else return FLOODING;
15322 + memset(buf, 0, PAGE_SIZE);
15323 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
15324 + sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
15325 + snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
15326 + } else if (current->signal->curr_ip) {
15327 + sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
15328 + snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
15329 + } else if (gr_acl_is_enabled()) {
15330 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
15331 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
15333 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
15334 + strcpy(buf, fmt);
15337 + return NO_FLOODING;
15340 +static void gr_log_middle(int audit, const char *msg, va_list ap)
15342 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
15343 + unsigned int len = strlen(buf);
15345 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
15350 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
15352 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
15353 + unsigned int len = strlen(buf);
15356 + va_start(ap, msg);
15357 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
15363 +static void gr_log_end(int audit)
15365 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
15366 + unsigned int len = strlen(buf);
15368 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
15369 + printk("%s\n", buf);
15374 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
15377 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
15378 + char *str1, *str2, *str3;
15380 + unsigned long ulong1, ulong2;
15381 + struct dentry *dentry;
15382 + struct vfsmount *mnt;
15383 + struct file *file;
15384 + struct task_struct *task;
15387 + BEGIN_LOCKS(audit);
15388 + logtype = gr_log_start(audit);
15389 + if (logtype == FLOODING) {
15390 + END_LOCKS(audit);
15393 + va_start(ap, argtypes);
15394 + switch (argtypes) {
15395 + case GR_TTYSNIFF:
15396 + task = va_arg(ap, struct task_struct *);
15397 + gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
15400 + dentry = va_arg(ap, struct dentry *);
15401 + mnt = va_arg(ap, struct vfsmount *);
15402 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
15404 + case GR_RBAC_STR:
15405 + dentry = va_arg(ap, struct dentry *);
15406 + mnt = va_arg(ap, struct vfsmount *);
15407 + str1 = va_arg(ap, char *);
15408 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
15410 + case GR_STR_RBAC:
15411 + str1 = va_arg(ap, char *);
15412 + dentry = va_arg(ap, struct dentry *);
15413 + mnt = va_arg(ap, struct vfsmount *);
15414 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
15416 + case GR_RBAC_MODE2:
15417 + dentry = va_arg(ap, struct dentry *);
15418 + mnt = va_arg(ap, struct vfsmount *);
15419 + str1 = va_arg(ap, char *);
15420 + str2 = va_arg(ap, char *);
15421 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
15423 + case GR_RBAC_MODE3:
15424 + dentry = va_arg(ap, struct dentry *);
15425 + mnt = va_arg(ap, struct vfsmount *);
15426 + str1 = va_arg(ap, char *);
15427 + str2 = va_arg(ap, char *);
15428 + str3 = va_arg(ap, char *);
15429 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
15431 + case GR_FILENAME:
15432 + dentry = va_arg(ap, struct dentry *);
15433 + mnt = va_arg(ap, struct vfsmount *);
15434 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
15436 + case GR_STR_FILENAME:
15437 + str1 = va_arg(ap, char *);
15438 + dentry = va_arg(ap, struct dentry *);
15439 + mnt = va_arg(ap, struct vfsmount *);
15440 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
15442 + case GR_FILENAME_STR:
15443 + dentry = va_arg(ap, struct dentry *);
15444 + mnt = va_arg(ap, struct vfsmount *);
15445 + str1 = va_arg(ap, char *);
15446 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
15448 + case GR_FILENAME_TWO_INT:
15449 + dentry = va_arg(ap, struct dentry *);
15450 + mnt = va_arg(ap, struct vfsmount *);
15451 + num1 = va_arg(ap, int);
15452 + num2 = va_arg(ap, int);
15453 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
15455 + case GR_FILENAME_TWO_INT_STR:
15456 + dentry = va_arg(ap, struct dentry *);
15457 + mnt = va_arg(ap, struct vfsmount *);
15458 + num1 = va_arg(ap, int);
15459 + num2 = va_arg(ap, int);
15460 + str1 = va_arg(ap, char *);
15461 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
15464 + file = va_arg(ap, struct file *);
15465 + ulong1 = va_arg(ap, unsigned long);
15466 + ulong2 = va_arg(ap, unsigned long);
15467 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
15470 + task = va_arg(ap, struct task_struct *);
15471 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
15473 + case GR_RESOURCE:
15474 + task = va_arg(ap, struct task_struct *);
15475 + ulong1 = va_arg(ap, unsigned long);
15476 + str1 = va_arg(ap, char *);
15477 + ulong2 = va_arg(ap, unsigned long);
15478 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
15481 + task = va_arg(ap, struct task_struct *);
15482 + str1 = va_arg(ap, char *);
15483 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
15486 + task = va_arg(ap, struct task_struct *);
15487 + num1 = va_arg(ap, int);
15488 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
15491 + task = va_arg(ap, struct task_struct *);
15492 + ulong1 = va_arg(ap, unsigned long);
15493 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
15496 + task = va_arg(ap, struct task_struct *);
15497 + ulong1 = va_arg(ap, unsigned long);
15498 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
15502 + unsigned int wday, cday;
15506 + char cur_tty[64] = { 0 };
15507 + char parent_tty[64] = { 0 };
15509 + task = va_arg(ap, struct task_struct *);
15510 + wday = va_arg(ap, unsigned int);
15511 + cday = va_arg(ap, unsigned int);
15512 + whr = va_arg(ap, int);
15513 + chr = va_arg(ap, int);
15514 + wmin = va_arg(ap, int);
15515 + cmin = va_arg(ap, int);
15516 + wsec = va_arg(ap, int);
15517 + csec = va_arg(ap, int);
15518 + ulong1 = va_arg(ap, unsigned long);
15520 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
15524 + gr_log_middle(audit, msg, ap);
15527 + gr_log_end(audit);
15528 + END_LOCKS(audit);
15530 diff -urNp linux-2.6.16.12/grsecurity/grsec_mem.c linux-2.6.16.12/grsecurity/grsec_mem.c
15531 --- linux-2.6.16.12/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
15532 +++ linux-2.6.16.12/grsecurity/grsec_mem.c 2006-05-01 20:17:34.000000000 -0400
15534 +#include <linux/kernel.h>
15535 +#include <linux/sched.h>
15536 +#include <linux/mm.h>
15537 +#include <linux/mman.h>
15538 +#include <linux/grinternal.h>
15541 +gr_handle_ioperm(void)
15543 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
15548 +gr_handle_iopl(void)
15550 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
15555 +gr_handle_mem_write(void)
15557 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
15562 +gr_handle_kmem_write(void)
15564 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
15569 +gr_handle_open_port(void)
15571 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
15576 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
15578 + unsigned long start, end;
15581 + end = start + vma->vm_end - vma->vm_start;
15583 + if (start > end) {
15584 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
15588 + /* allowed ranges : ISA I/O BIOS */
15589 + if ((start >= __pa(high_memory))
15591 + || (start >= 0x000a0000 && end <= 0x00100000)
15592 + || (start >= 0x00000000 && end <= 0x00001000)
15597 + if (vma->vm_flags & VM_WRITE) {
15598 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
15601 + vma->vm_flags &= ~VM_MAYWRITE;
15605 diff -urNp linux-2.6.16.12/grsecurity/grsec_mount.c linux-2.6.16.12/grsecurity/grsec_mount.c
15606 --- linux-2.6.16.12/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
15607 +++ linux-2.6.16.12/grsecurity/grsec_mount.c 2006-05-01 20:17:34.000000000 -0400
15609 +#include <linux/kernel.h>
15610 +#include <linux/sched.h>
15611 +#include <linux/grsecurity.h>
15612 +#include <linux/grinternal.h>
15615 +gr_log_remount(const char *devname, const int retval)
15617 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
15618 + if (grsec_enable_mount && (retval >= 0))
15619 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
15625 +gr_log_unmount(const char *devname, const int retval)
15627 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
15628 + if (grsec_enable_mount && (retval >= 0))
15629 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
15635 +gr_log_mount(const char *from, const char *to, const int retval)
15637 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
15638 + if (grsec_enable_mount && (retval >= 0))
15639 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
15643 diff -urNp linux-2.6.16.12/grsecurity/grsec_rand.c linux-2.6.16.12/grsecurity/grsec_rand.c
15644 --- linux-2.6.16.12/grsecurity/grsec_rand.c 1969-12-31 19:00:00.000000000 -0500
15645 +++ linux-2.6.16.12/grsecurity/grsec_rand.c 2006-05-01 20:17:34.000000000 -0400
15647 +#include <linux/kernel.h>
15648 +#include <linux/sched.h>
15649 +#include <linux/smp_lock.h>
15650 +#include <linux/grsecurity.h>
15651 +#include <linux/grinternal.h>
15653 +extern int pid_max;
15656 +gr_random_pid(void)
15658 +#ifdef CONFIG_GRKERNSEC_RANDPID
15661 + if (grsec_enable_randpid && current->fs->root) {
15662 + /* return a pid in the range 1 ... pid_max - 1
15663 + optimize this so we don't have to do a real division
15665 + pid = 1 + (get_random_long() % pid_max);
15666 + if (pid == pid_max)
15667 + pid = pid_max - 1;
15673 diff -urNp linux-2.6.16.12/grsecurity/grsec_sig.c linux-2.6.16.12/grsecurity/grsec_sig.c
15674 --- linux-2.6.16.12/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
15675 +++ linux-2.6.16.12/grsecurity/grsec_sig.c 2006-05-01 20:17:34.000000000 -0400
15677 +#include <linux/kernel.h>
15678 +#include <linux/sched.h>
15679 +#include <linux/grsecurity.h>
15680 +#include <linux/grinternal.h>
15683 +gr_log_signal(const int sig, const struct task_struct *t)
15685 +#ifdef CONFIG_GRKERNSEC_SIGNAL
15686 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
15687 + (sig == SIGABRT) || (sig == SIGBUS))) {
15688 + if (t->pid == current->pid) {
15689 + gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
15691 + gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
15699 +gr_handle_signal(const struct task_struct *p, const int sig)
15701 +#ifdef CONFIG_GRKERNSEC
15702 + if (current->pid > 1 && gr_check_protected_task(p)) {
15703 + gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
15705 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
15712 +void gr_handle_brute_attach(struct task_struct *p)
15714 +#ifdef CONFIG_GRKERNSEC_BRUTE
15715 + read_lock(&tasklist_lock);
15716 + read_lock(&grsec_exec_file_lock);
15717 + if (p->parent && p->parent->exec_file == p->exec_file)
15718 + p->parent->brute = 1;
15719 + read_unlock(&grsec_exec_file_lock);
15720 + read_unlock(&tasklist_lock);
15725 +void gr_handle_brute_check(void)
15727 +#ifdef CONFIG_GRKERNSEC_BRUTE
15728 + if (current->brute) {
15729 + set_current_state(TASK_UNINTERRUPTIBLE);
15730 + schedule_timeout(30 * HZ);
15736 diff -urNp linux-2.6.16.12/grsecurity/grsec_sock.c linux-2.6.16.12/grsecurity/grsec_sock.c
15737 --- linux-2.6.16.12/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
15738 +++ linux-2.6.16.12/grsecurity/grsec_sock.c 2006-05-01 20:17:34.000000000 -0400
15740 +#include <linux/kernel.h>
15741 +#include <linux/module.h>
15742 +#include <linux/sched.h>
15743 +#include <linux/file.h>
15744 +#include <linux/net.h>
15745 +#include <linux/in.h>
15746 +#include <linux/ip.h>
15747 +#include <net/sock.h>
15748 +#include <net/inet_sock.h>
15749 +#include <linux/grsecurity.h>
15750 +#include <linux/grinternal.h>
15751 +#include <linux/gracl.h>
15753 +#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
15754 +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
15755 +EXPORT_SYMBOL(udp_v4_lookup);
15758 +EXPORT_SYMBOL(gr_cap_rtnetlink);
15760 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
15761 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
15763 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
15764 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
15766 +#ifdef CONFIG_UNIX_MODULE
15767 +EXPORT_SYMBOL(gr_acl_handle_unix);
15768 +EXPORT_SYMBOL(gr_acl_handle_mknod);
15769 +EXPORT_SYMBOL(gr_handle_chroot_unix);
15770 +EXPORT_SYMBOL(gr_handle_create);
15773 +#ifdef CONFIG_GRKERNSEC
15774 +#define gr_conn_table_size 32749
15775 +struct conn_table_entry {
15776 + struct conn_table_entry *next;
15777 + struct signal_struct *sig;
15780 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
15781 +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
15783 +extern const char * gr_socktype_to_name(unsigned char type);
15784 +extern const char * gr_proto_to_name(unsigned char proto);
15786 +static __inline__ int
15787 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
15789 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
15792 +static __inline__ int
15793 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
15794 + __u16 sport, __u16 dport)
15796 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
15797 + sig->gr_sport == sport && sig->gr_dport == dport))
15803 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
15805 + struct conn_table_entry **match;
15806 + unsigned int index;
15808 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
15809 + sig->gr_sport, sig->gr_dport,
15810 + gr_conn_table_size);
15812 + newent->sig = sig;
15814 + match = &gr_conn_table[index];
15815 + newent->next = *match;
15821 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
15823 + struct conn_table_entry *match, *last = NULL;
15824 + unsigned int index;
15826 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
15827 + sig->gr_sport, sig->gr_dport,
15828 + gr_conn_table_size);
15830 + match = gr_conn_table[index];
15831 + while (match && !conn_match(match->sig,
15832 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
15833 + sig->gr_dport)) {
15835 + match = match->next;
15840 + last->next = match->next;
15842 + gr_conn_table[index] = NULL;
15849 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
15850 + __u16 sport, __u16 dport)
15852 + struct conn_table_entry *match;
15853 + unsigned int index;
15855 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
15857 + match = gr_conn_table[index];
15858 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
15859 + match = match->next;
15862 + return match->sig;
15869 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
15871 +#ifdef CONFIG_GRKERNSEC
15872 + struct signal_struct *sig = task->signal;
15873 + struct conn_table_entry *newent;
15875 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
15876 + if (newent == NULL)
15878 + /* no bh lock needed since we are called with bh disabled */
15879 + spin_lock(&gr_conn_table_lock);
15880 + gr_del_task_from_ip_table_nolock(sig);
15881 + sig->gr_saddr = inet->rcv_saddr;
15882 + sig->gr_daddr = inet->daddr;
15883 + sig->gr_sport = inet->sport;
15884 + sig->gr_dport = inet->dport;
15885 + gr_add_to_task_ip_table_nolock(sig, newent);
15886 + spin_unlock(&gr_conn_table_lock);
15891 +void gr_del_task_from_ip_table(struct task_struct *task)
15893 +#ifdef CONFIG_GRKERNSEC
15894 + spin_lock(&gr_conn_table_lock);
15895 + gr_del_task_from_ip_table_nolock(task->signal);
15896 + spin_unlock(&gr_conn_table_lock);
15902 +gr_attach_curr_ip(const struct sock *sk)
15904 +#ifdef CONFIG_GRKERNSEC
15905 + struct signal_struct *p, *set;
15906 + const struct inet_sock *inet = inet_sk(sk);
15908 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
15911 + set = current->signal;
15913 + spin_lock_bh(&gr_conn_table_lock);
15914 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
15915 + inet->dport, inet->sport);
15916 + if (unlikely(p != NULL)) {
15917 + set->curr_ip = p->curr_ip;
15918 + set->used_accept = 1;
15919 + gr_del_task_from_ip_table_nolock(p);
15920 + spin_unlock_bh(&gr_conn_table_lock);
15923 + spin_unlock_bh(&gr_conn_table_lock);
15925 + set->curr_ip = inet->daddr;
15926 + set->used_accept = 1;
15932 +gr_handle_sock_all(const int family, const int type, const int protocol)
15934 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
15935 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
15936 + (family != AF_UNIX) && (family != AF_LOCAL)) {
15937 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
15945 +gr_handle_sock_server(const struct sockaddr *sck)
15947 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
15948 + if (grsec_enable_socket_server &&
15949 + in_group_p(grsec_socket_server_gid) &&
15950 + sck && (sck->sa_family != AF_UNIX) &&
15951 + (sck->sa_family != AF_LOCAL)) {
15952 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
15960 +gr_handle_sock_server_other(const struct sock *sck)
15962 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
15963 + if (grsec_enable_socket_server &&
15964 + in_group_p(grsec_socket_server_gid) &&
15965 + sck && (sck->sk_family != AF_UNIX) &&
15966 + (sck->sk_family != AF_LOCAL)) {
15967 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
15975 +gr_handle_sock_client(const struct sockaddr *sck)
15977 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
15978 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
15979 + sck && (sck->sa_family != AF_UNIX) &&
15980 + (sck->sa_family != AF_LOCAL)) {
15981 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
15989 +gr_cap_rtnetlink(void)
15991 +#ifdef CONFIG_GRKERNSEC
15992 + if (!gr_acl_is_enabled())
15993 + return current->cap_effective;
15994 + else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
15995 + gr_task_is_capable(current, CAP_NET_ADMIN))
15996 + return current->cap_effective;
16000 + return current->cap_effective;
16003 diff -urNp linux-2.6.16.12/grsecurity/grsec_sysctl.c linux-2.6.16.12/grsecurity/grsec_sysctl.c
16004 --- linux-2.6.16.12/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
16005 +++ linux-2.6.16.12/grsecurity/grsec_sysctl.c 2006-05-01 20:17:34.000000000 -0400
16007 +#include <linux/kernel.h>
16008 +#include <linux/sched.h>
16009 +#include <linux/sysctl.h>
16010 +#include <linux/grsecurity.h>
16011 +#include <linux/grinternal.h>
16013 +#ifdef CONFIG_GRKERNSEC_MODSTOP
16014 +int grsec_modstop;
16018 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
16020 +#ifdef CONFIG_GRKERNSEC_SYSCTL
16021 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
16022 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
16026 +#ifdef CONFIG_GRKERNSEC_MODSTOP
16027 + if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
16028 + grsec_modstop && (op & 002)) {
16029 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
16036 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
16037 +enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
16038 +GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
16039 +GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
16040 +GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
16041 +GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
16042 +GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
16043 +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
16044 +GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
16045 +GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP};
16048 +ctl_table grsecurity_table[] = {
16049 +#ifdef CONFIG_GRKERNSEC_SYSCTL
16050 +#ifdef CONFIG_GRKERNSEC_LINK
16052 + .ctl_name = GS_LINK,
16053 + .procname = "linking_restrictions",
16054 + .data = &grsec_enable_link,
16055 + .maxlen = sizeof(int),
16057 + .proc_handler = &proc_dointvec,
16060 +#ifdef CONFIG_GRKERNSEC_FIFO
16062 + .ctl_name = GS_FIFO,
16063 + .procname = "fifo_restrictions",
16064 + .data = &grsec_enable_fifo,
16065 + .maxlen = sizeof(int),
16067 + .proc_handler = &proc_dointvec,
16070 +#ifdef CONFIG_GRKERNSEC_EXECVE
16072 + .ctl_name = GS_EXECVE,
16073 + .procname = "execve_limiting",
16074 + .data = &grsec_enable_execve,
16075 + .maxlen = sizeof(int),
16077 + .proc_handler = &proc_dointvec,
16080 +#ifdef CONFIG_GRKERNSEC_EXECLOG
16082 + .ctl_name = GS_EXECLOG,
16083 + .procname = "exec_logging",
16084 + .data = &grsec_enable_execlog,
16085 + .maxlen = sizeof(int),
16087 + .proc_handler = &proc_dointvec,
16090 +#ifdef CONFIG_GRKERNSEC_SIGNAL
16092 + .ctl_name = GS_SIGNAL,
16093 + .procname = "signal_logging",
16094 + .data = &grsec_enable_signal,
16095 + .maxlen = sizeof(int),
16097 + .proc_handler = &proc_dointvec,
16100 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
16102 + .ctl_name = GS_FORKFAIL,
16103 + .procname = "forkfail_logging",
16104 + .data = &grsec_enable_forkfail,
16105 + .maxlen = sizeof(int),
16107 + .proc_handler = &proc_dointvec,
16110 +#ifdef CONFIG_GRKERNSEC_TIME
16112 + .ctl_name = GS_TIME,
16113 + .procname = "timechange_logging",
16114 + .data = &grsec_enable_time,
16115 + .maxlen = sizeof(int),
16117 + .proc_handler = &proc_dointvec,
16120 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
16122 + .ctl_name = GS_CHROOT_SHMAT,
16123 + .procname = "chroot_deny_shmat",
16124 + .data = &grsec_enable_chroot_shmat,
16125 + .maxlen = sizeof(int),
16127 + .proc_handler = &proc_dointvec,
16130 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
16132 + .ctl_name = GS_CHROOT_UNIX,
16133 + .procname = "chroot_deny_unix",
16134 + .data = &grsec_enable_chroot_unix,
16135 + .maxlen = sizeof(int),
16137 + .proc_handler = &proc_dointvec,
16140 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
16142 + .ctl_name = GS_CHROOT_MNT,
16143 + .procname = "chroot_deny_mount",
16144 + .data = &grsec_enable_chroot_mount,
16145 + .maxlen = sizeof(int),
16147 + .proc_handler = &proc_dointvec,
16150 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
16152 + .ctl_name = GS_CHROOT_FCHDIR,
16153 + .procname = "chroot_deny_fchdir",
16154 + .data = &grsec_enable_chroot_fchdir,
16155 + .maxlen = sizeof(int),
16157 + .proc_handler = &proc_dointvec,
16160 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
16162 + .ctl_name = GS_CHROOT_DBL,
16163 + .procname = "chroot_deny_chroot",
16164 + .data = &grsec_enable_chroot_double,
16165 + .maxlen = sizeof(int),
16167 + .proc_handler = &proc_dointvec,
16170 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
16172 + .ctl_name = GS_CHROOT_PVT,
16173 + .procname = "chroot_deny_pivot",
16174 + .data = &grsec_enable_chroot_pivot,
16175 + .maxlen = sizeof(int),
16177 + .proc_handler = &proc_dointvec,
16180 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
16182 + .ctl_name = GS_CHROOT_CD,
16183 + .procname = "chroot_enforce_chdir",
16184 + .data = &grsec_enable_chroot_chdir,
16185 + .maxlen = sizeof(int),
16187 + .proc_handler = &proc_dointvec,
16190 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
16192 + .ctl_name = GS_CHROOT_CM,
16193 + .procname = "chroot_deny_chmod",
16194 + .data = &grsec_enable_chroot_chmod,
16195 + .maxlen = sizeof(int),
16197 + .proc_handler = &proc_dointvec,
16200 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
16202 + .ctl_name = GS_CHROOT_MK,
16203 + .procname = "chroot_deny_mknod",
16204 + .data = &grsec_enable_chroot_mknod,
16205 + .maxlen = sizeof(int),
16207 + .proc_handler = &proc_dointvec,
16210 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
16212 + .ctl_name = GS_CHROOT_NI,
16213 + .procname = "chroot_restrict_nice",
16214 + .data = &grsec_enable_chroot_nice,
16215 + .maxlen = sizeof(int),
16217 + .proc_handler = &proc_dointvec,
16220 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
16222 + .ctl_name = GS_CHROOT_EXECLOG,
16223 + .procname = "chroot_execlog",
16224 + .data = &grsec_enable_chroot_execlog,
16225 + .maxlen = sizeof(int),
16227 + .proc_handler = &proc_dointvec,
16230 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
16232 + .ctl_name = GS_CHROOT_CAPS,
16233 + .procname = "chroot_caps",
16234 + .data = &grsec_enable_chroot_caps,
16235 + .maxlen = sizeof(int),
16237 + .proc_handler = &proc_dointvec,
16240 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
16242 + .ctl_name = GS_CHROOT_SYSCTL,
16243 + .procname = "chroot_deny_sysctl",
16244 + .data = &grsec_enable_chroot_sysctl,
16245 + .maxlen = sizeof(int),
16247 + .proc_handler = &proc_dointvec,
16250 +#ifdef CONFIG_GRKERNSEC_TPE
16252 + .ctl_name = GS_TPE,
16253 + .procname = "tpe",
16254 + .data = &grsec_enable_tpe,
16255 + .maxlen = sizeof(int),
16257 + .proc_handler = &proc_dointvec,
16260 + .ctl_name = GS_TPE_GID,
16261 + .procname = "tpe_gid",
16262 + .data = &grsec_tpe_gid,
16263 + .maxlen = sizeof(int),
16265 + .proc_handler = &proc_dointvec,
16268 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
16270 + .ctl_name = GS_TPE_ALL,
16271 + .procname = "tpe_restrict_all",
16272 + .data = &grsec_enable_tpe_all,
16273 + .maxlen = sizeof(int),
16275 + .proc_handler = &proc_dointvec,
16278 +#ifdef CONFIG_GRKERNSEC_RANDPID
16280 + .ctl_name = GS_RANDPID,
16281 + .procname = "rand_pids",
16282 + .data = &grsec_enable_randpid,
16283 + .maxlen = sizeof(int),
16285 + .proc_handler = &proc_dointvec,
16288 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
16290 + .ctl_name = GS_SOCKET_ALL,
16291 + .procname = "socket_all",
16292 + .data = &grsec_enable_socket_all,
16293 + .maxlen = sizeof(int),
16295 + .proc_handler = &proc_dointvec,
16298 + .ctl_name = GS_SOCKET_ALL_GID,
16299 + .procname = "socket_all_gid",
16300 + .data = &grsec_socket_all_gid,
16301 + .maxlen = sizeof(int),
16303 + .proc_handler = &proc_dointvec,
16306 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
16308 + .ctl_name = GS_SOCKET_CLIENT,
16309 + .procname = "socket_client",
16310 + .data = &grsec_enable_socket_client,
16311 + .maxlen = sizeof(int),
16313 + .proc_handler = &proc_dointvec,
16316 + .ctl_name = GS_SOCKET_CLIENT_GID,
16317 + .procname = "socket_client_gid",
16318 + .data = &grsec_socket_client_gid,
16319 + .maxlen = sizeof(int),
16321 + .proc_handler = &proc_dointvec,
16324 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
16326 + .ctl_name = GS_SOCKET_SERVER,
16327 + .procname = "socket_server",
16328 + .data = &grsec_enable_socket_server,
16329 + .maxlen = sizeof(int),
16331 + .proc_handler = &proc_dointvec,
16334 + .ctl_name = GS_SOCKET_SERVER_GID,
16335 + .procname = "socket_server_gid",
16336 + .data = &grsec_socket_server_gid,
16337 + .maxlen = sizeof(int),
16339 + .proc_handler = &proc_dointvec,
16342 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
16344 + .ctl_name = GS_GROUP,
16345 + .procname = "audit_group",
16346 + .data = &grsec_enable_group,
16347 + .maxlen = sizeof(int),
16349 + .proc_handler = &proc_dointvec,
16352 + .ctl_name = GS_GID,
16353 + .procname = "audit_gid",
16354 + .data = &grsec_audit_gid,
16355 + .maxlen = sizeof(int),
16357 + .proc_handler = &proc_dointvec,
16360 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
16362 + .ctl_name = GS_ACHDIR,
16363 + .procname = "audit_chdir",
16364 + .data = &grsec_enable_chdir,
16365 + .maxlen = sizeof(int),
16367 + .proc_handler = &proc_dointvec,
16370 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
16372 + .ctl_name = GS_AMOUNT,
16373 + .procname = "audit_mount",
16374 + .data = &grsec_enable_mount,
16375 + .maxlen = sizeof(int),
16377 + .proc_handler = &proc_dointvec,
16380 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
16382 + .ctl_name = GS_AIPC,
16383 + .procname = "audit_ipc",
16384 + .data = &grsec_enable_audit_ipc,
16385 + .maxlen = sizeof(int),
16387 + .proc_handler = &proc_dointvec,
16390 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
16392 + .ctl_name = GS_TEXTREL,
16393 + .procname = "audit_textrel",
16394 + .data = &grsec_enable_audit_textrel,
16395 + .maxlen = sizeof(int),
16397 + .proc_handler = &proc_dointvec,
16400 +#ifdef CONFIG_GRKERNSEC_DMESG
16402 + .ctl_name = GS_DMSG,
16403 + .procname = "dmesg",
16404 + .data = &grsec_enable_dmesg,
16405 + .maxlen = sizeof(int),
16407 + .proc_handler = &proc_dointvec,
16410 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
16412 + .ctl_name = GS_FINDTASK,
16413 + .procname = "chroot_findtask",
16414 + .data = &grsec_enable_chroot_findtask,
16415 + .maxlen = sizeof(int),
16417 + .proc_handler = &proc_dointvec,
16420 +#ifdef CONFIG_GRKERNSEC_SHM
16422 + .ctl_name = GS_SHM,
16423 + .procname = "destroy_unused_shm",
16424 + .data = &grsec_enable_shm,
16425 + .maxlen = sizeof(int),
16427 + .proc_handler = &proc_dointvec,
16431 + .ctl_name = GS_LOCK,
16432 + .procname = "grsec_lock",
16433 + .data = &grsec_lock,
16434 + .maxlen = sizeof(int),
16436 + .proc_handler = &proc_dointvec,
16439 +#ifdef CONFIG_GRKERNSEC_MODSTOP
16441 + .ctl_name = GS_MODSTOP,
16442 + .procname = "disable_modules",
16443 + .data = &grsec_modstop,
16444 + .maxlen = sizeof(int),
16446 + .proc_handler = &proc_dointvec,
16449 + { .ctl_name = 0 }
16453 +int gr_check_modstop(void)
16455 +#ifdef CONFIG_GRKERNSEC_MODSTOP
16456 + if (grsec_modstop == 1) {
16457 + gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
16463 diff -urNp linux-2.6.16.12/grsecurity/grsec_textrel.c linux-2.6.16.12/grsecurity/grsec_textrel.c
16464 --- linux-2.6.16.12/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
16465 +++ linux-2.6.16.12/grsecurity/grsec_textrel.c 2006-05-01 20:17:34.000000000 -0400
16467 +#include <linux/kernel.h>
16468 +#include <linux/sched.h>
16469 +#include <linux/mm.h>
16470 +#include <linux/file.h>
16471 +#include <linux/grinternal.h>
16472 +#include <linux/grsecurity.h>
16475 +gr_log_textrel(struct vm_area_struct * vma)
16477 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
16478 + if (grsec_enable_audit_textrel)
16479 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
16483 diff -urNp linux-2.6.16.12/grsecurity/grsec_time.c linux-2.6.16.12/grsecurity/grsec_time.c
16484 --- linux-2.6.16.12/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
16485 +++ linux-2.6.16.12/grsecurity/grsec_time.c 2006-05-01 20:17:34.000000000 -0400
16487 +#include <linux/kernel.h>
16488 +#include <linux/sched.h>
16489 +#include <linux/grinternal.h>
16492 +gr_log_timechange(void)
16494 +#ifdef CONFIG_GRKERNSEC_TIME
16495 + if (grsec_enable_time)
16496 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
16500 diff -urNp linux-2.6.16.12/grsecurity/grsec_tpe.c linux-2.6.16.12/grsecurity/grsec_tpe.c
16501 --- linux-2.6.16.12/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
16502 +++ linux-2.6.16.12/grsecurity/grsec_tpe.c 2006-05-01 20:17:34.000000000 -0400
16504 +#include <linux/kernel.h>
16505 +#include <linux/sched.h>
16506 +#include <linux/file.h>
16507 +#include <linux/fs.h>
16508 +#include <linux/grinternal.h>
16510 +extern int gr_acl_tpe_check(void);
16513 +gr_tpe_allow(const struct file *file)
16515 +#ifdef CONFIG_GRKERNSEC
16516 + struct inode *inode = file->f_dentry->d_parent->d_inode;
16518 + if (current->uid && ((grsec_enable_tpe &&
16519 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
16520 + !in_group_p(grsec_tpe_gid)
16522 + in_group_p(grsec_tpe_gid)
16524 + ) || gr_acl_tpe_check()) &&
16525 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
16526 + (inode->i_mode & S_IWOTH))))) {
16527 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
16530 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
16531 + if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
16532 + ((inode->i_uid && (inode->i_uid != current->uid)) ||
16533 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
16534 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
16541 diff -urNp linux-2.6.16.12/grsecurity/grsum.c linux-2.6.16.12/grsecurity/grsum.c
16542 --- linux-2.6.16.12/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
16543 +++ linux-2.6.16.12/grsecurity/grsum.c 2006-05-01 20:17:34.000000000 -0400
16545 +#include <linux/kernel.h>
16546 +#include <linux/sched.h>
16547 +#include <linux/mm.h>
16548 +#include <asm/scatterlist.h>
16549 +#include <linux/crypto.h>
16550 +#include <linux/gracl.h>
16553 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
16554 +#error "crypto and sha256 must be built into the kernel"
16558 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
16561 + struct crypto_tfm *tfm;
16562 + unsigned char temp_sum[GR_SHA_LEN];
16563 + struct scatterlist sg[2];
16564 + volatile int retval = 0;
16565 + volatile int dummy = 0;
16568 + tfm = crypto_alloc_tfm("sha256", 0);
16569 + if (tfm == NULL) {
16570 + /* should never happen, since sha256 should be built in */
16574 + crypto_digest_init(tfm);
16577 + sg[0].page = virt_to_page(p);
16578 + sg[0].offset = ((long) p & ~PAGE_MASK);
16579 + sg[0].length = GR_SALT_LEN;
16581 + crypto_digest_update(tfm, sg, 1);
16584 + sg[0].page = virt_to_page(p);
16585 + sg[0].offset = ((long) p & ~PAGE_MASK);
16586 + sg[0].length = strlen(entry->pw);
16588 + crypto_digest_update(tfm, sg, 1);
16590 + crypto_digest_final(tfm, temp_sum);
16592 + memset(entry->pw, 0, GR_PW_LEN);
16594 + for (i = 0; i < GR_SHA_LEN; i++)
16595 + if (sum[i] != temp_sum[i])
16598 + dummy = 1; // waste a cycle
16600 + crypto_free_tfm(tfm);
16604 diff -urNp linux-2.6.16.12/grsecurity/Kconfig linux-2.6.16.12/grsecurity/Kconfig
16605 --- linux-2.6.16.12/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
16606 +++ linux-2.6.16.12/grsecurity/Kconfig 2006-05-01 20:17:34.000000000 -0400
16609 +# grecurity configuration
16615 + bool "Grsecurity"
16617 + select CRYPTO_SHA256
16619 + If you say Y here, you will be able to configure many features
16620 + that will enhance the security of your system. It is highly
16621 + recommended that you say Y here and read through the help
16622 + for each option so that you fully understand the features and
16623 + can evaluate their usefulness for your machine.
16626 + prompt "Security Level"
16627 + depends GRKERNSEC
16628 + default GRKERNSEC_CUSTOM
16630 +config GRKERNSEC_LOW
16632 + select GRKERNSEC_LINK
16633 + select GRKERNSEC_FIFO
16634 + select GRKERNSEC_RANDPID
16635 + select GRKERNSEC_EXECVE
16636 + select GRKERNSEC_RANDNET
16637 + select GRKERNSEC_DMESG
16638 + select GRKERNSEC_CHROOT_CHDIR
16639 + select GRKERNSEC_MODSTOP if (MODULES)
16642 + If you choose this option, several of the grsecurity options will
16643 + be enabled that will give you greater protection against a number
16644 + of attacks, while assuring that none of your software will have any
16645 + conflicts with the additional security measures. If you run a lot
16646 + of unusual software, or you are having problems with the higher
16647 + security levels, you should say Y here. With this option, the
16648 + following features are enabled:
16650 + - Linking restrictions
16651 + - FIFO restrictions
16652 + - Randomized PIDs
16653 + - Enforcing RLIMIT_NPROC on execve
16654 + - Restricted dmesg
16655 + - Enforced chdir("/") on chroot
16656 + - Runtime module disabling
16658 +config GRKERNSEC_MEDIUM
16661 + select PAX_EI_PAX
16662 + select PAX_PT_PAX_FLAGS
16663 + select PAX_HAVE_ACL_FLAGS
16664 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
16665 + select GRKERNSEC_CHROOT_SYSCTL
16666 + select GRKERNSEC_LINK
16667 + select GRKERNSEC_FIFO
16668 + select GRKERNSEC_RANDPID
16669 + select GRKERNSEC_EXECVE
16670 + select GRKERNSEC_DMESG
16671 + select GRKERNSEC_RANDNET
16672 + select GRKERNSEC_FORKFAIL
16673 + select GRKERNSEC_TIME
16674 + select GRKERNSEC_SIGNAL
16675 + select GRKERNSEC_CHROOT
16676 + select GRKERNSEC_CHROOT_UNIX
16677 + select GRKERNSEC_CHROOT_MOUNT
16678 + select GRKERNSEC_CHROOT_PIVOT
16679 + select GRKERNSEC_CHROOT_DOUBLE
16680 + select GRKERNSEC_CHROOT_CHDIR
16681 + select GRKERNSEC_CHROOT_MKNOD
16682 + select GRKERNSEC_PROC
16683 + select GRKERNSEC_PROC_USERGROUP
16684 + select GRKERNSEC_MODSTOP if (MODULES)
16685 + select PAX_RANDUSTACK
16687 + select PAX_RANDMMAP
16688 + select PAX_NOVSYSCALL if (X86 && !X86_64)
16691 + If you say Y here, several features in addition to those included
16692 + in the low additional security level will be enabled. These
16693 + features provide even more security to your system, though in rare
16694 + cases they may be incompatible with very old or poorly written
16695 + software. If you enable this option, make sure that your auth
16696 + service (identd) is running as gid 1001. With this option,
16697 + the following features (in addition to those provided in the
16698 + low additional security level) will be enabled:
16700 + - Randomized TCP source ports
16701 + - Failed fork logging
16702 + - Time change logging
16704 + - Deny mounts in chroot
16705 + - Deny double chrooting
16706 + - Deny sysctl writes in chroot
16707 + - Deny mknod in chroot
16708 + - Deny access to abstract AF_UNIX sockets out of chroot
16709 + - Deny pivot_root in chroot
16710 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
16711 + - /proc restrictions with special GID set to 10 (usually wheel)
16712 + - Address Space Layout Randomization (ASLR)
16714 +config GRKERNSEC_HIGH
16716 + select GRKERNSEC_LINK
16717 + select GRKERNSEC_FIFO
16718 + select GRKERNSEC_RANDPID
16719 + select GRKERNSEC_EXECVE
16720 + select GRKERNSEC_DMESG
16721 + select GRKERNSEC_FORKFAIL
16722 + select GRKERNSEC_TIME
16723 + select GRKERNSEC_SIGNAL
16724 + select GRKERNSEC_CHROOT_SHMAT
16725 + select GRKERNSEC_CHROOT_UNIX
16726 + select GRKERNSEC_CHROOT_MOUNT
16727 + select GRKERNSEC_CHROOT_FCHDIR
16728 + select GRKERNSEC_CHROOT_PIVOT
16729 + select GRKERNSEC_CHROOT_DOUBLE
16730 + select GRKERNSEC_CHROOT_CHDIR
16731 + select GRKERNSEC_CHROOT_MKNOD
16732 + select GRKERNSEC_CHROOT_CAPS
16733 + select GRKERNSEC_CHROOT_SYSCTL
16734 + select GRKERNSEC_CHROOT_FINDTASK
16735 + select GRKERNSEC_PROC
16736 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
16737 + select GRKERNSEC_HIDESYM
16738 + select GRKERNSEC_BRUTE
16739 + select GRKERNSEC_SHM if (SYSVIPC)
16740 + select GRKERNSEC_PROC_USERGROUP
16741 + select GRKERNSEC_KMEM
16742 + select GRKERNSEC_RESLOG
16743 + select GRKERNSEC_RANDNET
16744 + select GRKERNSEC_PROC_ADD
16745 + select GRKERNSEC_CHROOT_CHMOD
16746 + select GRKERNSEC_CHROOT_NICE
16747 + select GRKERNSEC_AUDIT_MOUNT
16748 + select GRKERNSEC_MODSTOP if (MODULES)
16750 + select PAX_RANDUSTACK
16752 + select PAX_RANDMMAP
16753 + select PAX_NOEXEC
16754 + select PAX_MPROTECT
16755 + select PAX_EI_PAX
16756 + select PAX_PT_PAX_FLAGS
16757 + select PAX_HAVE_ACL_FLAGS
16758 + select PAX_KERNEXEC if (!X86_64 && !MODULES && !HOTPLUG_PCI_COMPAQ_NVRAM && !PCI_BIOS)
16759 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
16760 + select PAX_SEGMEXEC if (X86 && !X86_64)
16761 + select PAX_PAGEEXEC if (!X86)
16762 + select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
16763 + select PAX_DLRESOLVE if (SPARC32 || SPARC64)
16764 + select PAX_SYSCALL if (PPC32)
16765 + select PAX_EMUTRAMP if (PARISC)
16766 + select PAX_EMUSIGRT if (PARISC)
16767 + select PAX_NOVSYSCALL if (X86 && !X86_64)
16768 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
16770 + If you say Y here, many of the features of grsecurity will be
16771 + enabled, which will protect you against many kinds of attacks
16772 + against your system. The heightened security comes at a cost
16773 + of an increased chance of incompatibilities with rare software
16774 + on your machine. Since this security level enables PaX, you should
16775 + view <http://pax.grsecurity.net> and read about the PaX
16776 + project. While you are there, download chpax and run it on
16777 + binaries that cause problems with PaX. Also remember that
16778 + since the /proc restrictions are enabled, you must run your
16779 + identd as gid 1001. This security level enables the following
16780 + features in addition to those listed in the low and medium
16783 + - Additional /proc restrictions
16784 + - Chmod restrictions in chroot
16785 + - No signals, ptrace, or viewing of processes outside of chroot
16786 + - Capability restrictions in chroot
16787 + - Deny fchdir out of chroot
16788 + - Priority restrictions in chroot
16789 + - Segmentation-based implementation of PaX
16790 + - Mprotect restrictions
16791 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
16792 + - Kernel stack randomization
16793 + - Mount/unmount/remount logging
16794 + - Kernel symbol hiding
16795 + - Destroy unused shared memory
16796 + - Prevention of memory exhaustion-based exploits
16797 +config GRKERNSEC_CUSTOM
16800 + If you say Y here, you will be able to configure every grsecurity
16801 + option, which allows you to enable many more features that aren't
16802 + covered in the basic security levels. These additional features
16803 + include TPE, socket restrictions, and the sysctl system for
16804 + grsecurity. It is advised that you read through the help for
16805 + each option to determine its usefulness in your situation.
16809 +menu "Address Space Protection"
16810 +depends on GRKERNSEC
16812 +config GRKERNSEC_KMEM
16813 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
16815 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
16816 + be written to via mmap or otherwise to modify the running kernel.
16817 + /dev/port will also not be allowed to be opened. If you have module
16818 + support disabled, enabling this will close up four ways that are
16819 + currently used to insert malicious code into the running kernel.
16820 + Even with all these features enabled, we still highly recommend that
16821 + you use the RBAC system, as it is still possible for an attacker to
16822 + modify the running kernel through privileged I/O granted by ioperm/iopl.
16823 + If you are not using XFree86, you may be able to stop this additional
16824 + case by enabling the 'Disable privileged I/O' option. Though nothing
16825 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
16826 + but only to video memory, which is the only writing we allow in this
16827 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
16828 + not be allowed to mprotect it with PROT_WRITE later.
16829 + It is highly recommended that you say Y here if you meet all the
16830 + conditions above.
16832 +config GRKERNSEC_IO
16833 + bool "Disable privileged I/O"
16837 + If you say Y here, all ioperm and iopl calls will return an error.
16838 + Ioperm and iopl can be used to modify the running kernel.
16839 + Unfortunately, some programs need this access to operate properly,
16840 + the most notable of which are XFree86 and hwclock. hwclock can be
16841 + remedied by having RTC support in the kernel, so CONFIG_RTC is
16842 + enabled if this option is enabled, to ensure that hwclock operates
16843 + correctly. XFree86 still will not operate correctly with this option
16844 + enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
16845 + and you still want to protect your kernel against modification,
16846 + use the RBAC system.
16848 +config GRKERNSEC_PROC_MEMMAP
16849 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
16850 + depends on PAX_NOEXEC || PAX_ASLR
16852 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
16853 + give no information about the addresses of its mappings if
16854 + PaX features that rely on random addresses are enabled on the task.
16855 + If you use PaX it is greatly recommended that you say Y here as it
16856 + closes up a hole that makes the full ASLR useless for suid
16859 +config GRKERNSEC_BRUTE
16860 + bool "Deter exploit bruteforcing"
16862 + If you say Y here, attempts to bruteforce exploits against forking
16863 + daemons such as apache or sshd will be deterred. When a child of a
16864 + forking daemon is killed by PaX or crashes due to an illegal
16865 + instruction, the parent process will be delayed 30 seconds upon every
16866 + subsequent fork until the administrator is able to assess the
16867 + situation and restart the daemon. It is recommended that you also
16868 + enable signal logging in the auditing section so that logs are
16869 + generated when a process performs an illegal instruction.
16871 +config GRKERNSEC_MODSTOP
16872 + bool "Runtime module disabling"
16873 + depends on MODULES
16875 + If you say Y here, you will be able to disable the ability to (un)load
16876 + modules at runtime. This feature is useful if you need the ability
16877 + to load kernel modules at boot time, but do not want to allow an
16878 + attacker to load a rootkit kernel module into the system, or to remove
16879 + a loaded kernel module important to system functioning. You should
16880 + enable the /dev/mem protection feature as well, since rootkits can be
16881 + inserted into the kernel via other methods than kernel modules. Since
16882 + an untrusted module could still be loaded by modifying init scripts and
16883 + rebooting the system, it is also recommended that you enable the RBAC
16884 + system. If you enable this option, a sysctl option with name
16885 + "disable_modules" will be created. Setting this option to "1" disables
16886 + module loading. After this option is set, no further writes to it are
16887 + allowed until the system is rebooted.
16889 +config GRKERNSEC_HIDESYM
16890 + bool "Hide kernel symbols"
16892 + If you say Y here, getting information on loaded modules, and
16893 + displaying all kernel symbols through a syscall will be restricted
16894 + to users with CAP_SYS_MODULE. This option is only effective
16895 + provided the following conditions are met:
16896 + 1) The kernel using grsecurity is not precompiled by some distribution
16897 + 2) You are using the RBAC system and hiding other files such as your
16898 + kernel image and System.map
16899 + 3) You have the additional /proc restrictions enabled, which removes
16901 + If the above conditions are met, this option will aid to provide a
16902 + useful protection against local and remote kernel exploitation of
16903 + overflows and arbitrary read/write vulnerabilities.
16906 +menu "Role Based Access Control Options"
16907 +depends on GRKERNSEC
16909 +config GRKERNSEC_ACL_HIDEKERN
16910 + bool "Hide kernel processes"
16912 + If you say Y here, all kernel threads will be hidden to all
16913 + processes but those whose subject has the "view hidden processes"
16916 +config GRKERNSEC_ACL_MAXTRIES
16917 + int "Maximum tries before password lockout"
16920 + This option enforces the maximum number of times a user can attempt
16921 + to authorize themselves with the grsecurity RBAC system before being
16922 + denied the ability to attempt authorization again for a specified time.
16923 + The lower the number, the harder it will be to brute-force a password.
16925 +config GRKERNSEC_ACL_TIMEOUT
16926 + int "Time to wait after max password tries, in seconds"
16929 + This option specifies the time the user must wait after attempting to
16930 + authorize to the RBAC system with the maximum number of invalid
16931 + passwords. The higher the number, the harder it will be to brute-force
16935 +menu "Filesystem Protections"
16936 +depends on GRKERNSEC
16938 +config GRKERNSEC_PROC
16939 + bool "Proc restrictions"
16941 + If you say Y here, the permissions of the /proc filesystem
16942 + will be altered to enhance system security and privacy. You MUST
16943 + choose either a user only restriction or a user and group restriction.
16944 + Depending upon the option you choose, you can either restrict users to
16945 + see only the processes they themselves run, or choose a group that can
16946 + view all processes and files normally restricted to root if you choose
16947 + the "restrict to user only" option. NOTE: If you're running identd as
16948 + a non-root user, you will have to run it as the group you specify here.
16950 +config GRKERNSEC_PROC_USER
16951 + bool "Restrict /proc to user only"
16952 + depends on GRKERNSEC_PROC
16954 + If you say Y here, non-root users will only be able to view their own
16955 + processes, and restricts them from viewing network-related information,
16956 + and viewing kernel symbol and module information.
16958 +config GRKERNSEC_PROC_USERGROUP
16959 + bool "Allow special group"
16960 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
16962 + If you say Y here, you will be able to select a group that will be
16963 + able to view all processes, network-related information, and
16964 + kernel and symbol information. This option is useful if you want
16965 + to run identd as a non-root user.
16967 +config GRKERNSEC_PROC_GID
16968 + int "GID for special group"
16969 + depends on GRKERNSEC_PROC_USERGROUP
16972 +config GRKERNSEC_PROC_ADD
16973 + bool "Additional restrictions"
16974 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
16976 + If you say Y here, additional restrictions will be placed on
16977 + /proc that keep normal users from viewing device information and
16978 + slabinfo information that could be useful for exploits.
16980 +config GRKERNSEC_LINK
16981 + bool "Linking restrictions"
16983 + If you say Y here, /tmp race exploits will be prevented, since users
16984 + will no longer be able to follow symlinks owned by other users in
16985 + world-writable +t directories (i.e. /tmp), unless the owner of the
16986 + symlink is the owner of the directory. users will also not be
16987 + able to hardlink to files they do not own. If the sysctl option is
16988 + enabled, a sysctl option with name "linking_restrictions" is created.
16990 +config GRKERNSEC_FIFO
16991 + bool "FIFO restrictions"
16993 + If you say Y here, users will not be able to write to FIFOs they don't
16994 + own in world-writable +t directories (i.e. /tmp), unless the owner of
16995 + the FIFO is the same owner of the directory it's held in. If the sysctl
16996 + option is enabled, a sysctl option with name "fifo_restrictions" is
16999 +config GRKERNSEC_CHROOT
17000 + bool "Chroot jail restrictions"
17002 + If you say Y here, you will be able to choose several options that will
17003 + make breaking out of a chrooted jail much more difficult. If you
17004 + encounter no software incompatibilities with the following options, it
17005 + is recommended that you enable each one.
17007 +config GRKERNSEC_CHROOT_MOUNT
17008 + bool "Deny mounts"
17009 + depends on GRKERNSEC_CHROOT
17011 + If you say Y here, processes inside a chroot will not be able to
17012 + mount or remount filesystems. If the sysctl option is enabled, a
17013 + sysctl option with name "chroot_deny_mount" is created.
17015 +config GRKERNSEC_CHROOT_DOUBLE
17016 + bool "Deny double-chroots"
17017 + depends on GRKERNSEC_CHROOT
17019 + If you say Y here, processes inside a chroot will not be able to chroot
17020 + again outside the chroot. This is a widely used method of breaking
17021 + out of a chroot jail and should not be allowed. If the sysctl
17022 + option is enabled, a sysctl option with name
17023 + "chroot_deny_chroot" is created.
17025 +config GRKERNSEC_CHROOT_PIVOT
17026 + bool "Deny pivot_root in chroot"
17027 + depends on GRKERNSEC_CHROOT
17029 + If you say Y here, processes inside a chroot will not be able to use
17030 + a function called pivot_root() that was introduced in Linux 2.3.41. It
17031 + works similar to chroot in that it changes the root filesystem. This
17032 + function could be misused in a chrooted process to attempt to break out
17033 + of the chroot, and therefore should not be allowed. If the sysctl
17034 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
17037 +config GRKERNSEC_CHROOT_CHDIR
17038 + bool "Enforce chdir(\"/\") on all chroots"
17039 + depends on GRKERNSEC_CHROOT
17041 + If you say Y here, the current working directory of all newly-chrooted
17042 + applications will be set to the the root directory of the chroot.
17043 + The man page on chroot(2) states:
17044 + Note that this call does not change the current working
17045 + directory, so that `.' can be outside the tree rooted at
17046 + `/'. In particular, the super-user can escape from a
17047 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
17049 + It is recommended that you say Y here, since it's not known to break
17050 + any software. If the sysctl option is enabled, a sysctl option with
17051 + name "chroot_enforce_chdir" is created.
17053 +config GRKERNSEC_CHROOT_CHMOD
17054 + bool "Deny (f)chmod +s"
17055 + depends on GRKERNSEC_CHROOT
17057 + If you say Y here, processes inside a chroot will not be able to chmod
17058 + or fchmod files to make them have suid or sgid bits. This protects
17059 + against another published method of breaking a chroot. If the sysctl
17060 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
17063 +config GRKERNSEC_CHROOT_FCHDIR
17064 + bool "Deny fchdir out of chroot"
17065 + depends on GRKERNSEC_CHROOT
17067 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
17068 + to a file descriptor of the chrooting process that points to a directory
17069 + outside the filesystem will be stopped. If the sysctl option
17070 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
17072 +config GRKERNSEC_CHROOT_MKNOD
17073 + bool "Deny mknod"
17074 + depends on GRKERNSEC_CHROOT
17076 + If you say Y here, processes inside a chroot will not be allowed to
17077 + mknod. The problem with using mknod inside a chroot is that it
17078 + would allow an attacker to create a device entry that is the same
17079 + as one on the physical root of your system, which could range from
17080 + anything from the console device to a device for your harddrive (which
17081 + they could then use to wipe the drive or steal data). It is recommended
17082 + that you say Y here, unless you run into software incompatibilities.
17083 + If the sysctl option is enabled, a sysctl option with name
17084 + "chroot_deny_mknod" is created.
17086 +config GRKERNSEC_CHROOT_SHMAT
17087 + bool "Deny shmat() out of chroot"
17088 + depends on GRKERNSEC_CHROOT
17090 + If you say Y here, processes inside a chroot will not be able to attach
17091 + to shared memory segments that were created outside of the chroot jail.
17092 + It is recommended that you say Y here. If the sysctl option is enabled,
17093 + a sysctl option with name "chroot_deny_shmat" is created.
17095 +config GRKERNSEC_CHROOT_UNIX
17096 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
17097 + depends on GRKERNSEC_CHROOT
17099 + If you say Y here, processes inside a chroot will not be able to
17100 + connect to abstract (meaning not belonging to a filesystem) Unix
17101 + domain sockets that were bound outside of a chroot. It is recommended
17102 + that you say Y here. If the sysctl option is enabled, a sysctl option
17103 + with name "chroot_deny_unix" is created.
17105 +config GRKERNSEC_CHROOT_FINDTASK
17106 + bool "Protect outside processes"
17107 + depends on GRKERNSEC_CHROOT
17109 + If you say Y here, processes inside a chroot will not be able to
17110 + kill, send signals with fcntl, ptrace, capget, setpgid, getpgid,
17111 + getsid, or view any process outside of the chroot. If the sysctl
17112 + option is enabled, a sysctl option with name "chroot_findtask" is
17115 +config GRKERNSEC_CHROOT_NICE
17116 + bool "Restrict priority changes"
17117 + depends on GRKERNSEC_CHROOT
17119 + If you say Y here, processes inside a chroot will not be able to raise
17120 + the priority of processes in the chroot, or alter the priority of
17121 + processes outside the chroot. This provides more security than simply
17122 + removing CAP_SYS_NICE from the process' capability set. If the
17123 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
17126 +config GRKERNSEC_CHROOT_SYSCTL
17127 + bool "Deny sysctl writes"
17128 + depends on GRKERNSEC_CHROOT
17130 + If you say Y here, an attacker in a chroot will not be able to
17131 + write to sysctl entries, either by sysctl(2) or through a /proc
17132 + interface. It is strongly recommended that you say Y here. If the
17133 + sysctl option is enabled, a sysctl option with name
17134 + "chroot_deny_sysctl" is created.
17136 +config GRKERNSEC_CHROOT_CAPS
17137 + bool "Capability restrictions"
17138 + depends on GRKERNSEC_CHROOT
17140 + If you say Y here, the capabilities on all root processes within a
17141 + chroot jail will be lowered to stop module insertion, raw i/o,
17142 + system and net admin tasks, rebooting the system, modifying immutable
17143 + files, modifying IPC owned by another, and changing the system time.
17144 + This is left an option because it can break some apps. Disable this
17145 + if your chrooted apps are having problems performing those kinds of
17146 + tasks. If the sysctl option is enabled, a sysctl option with
17147 + name "chroot_caps" is created.
17150 +menu "Kernel Auditing"
17151 +depends on GRKERNSEC
17153 +config GRKERNSEC_AUDIT_GROUP
17154 + bool "Single group for auditing"
17156 + If you say Y here, the exec, chdir, (un)mount, and ipc logging features
17157 + will only operate on a group you specify. This option is recommended
17158 + if you only want to watch certain users instead of having a large
17159 + amount of logs from the entire system. If the sysctl option is enabled,
17160 + a sysctl option with name "audit_group" is created.
17162 +config GRKERNSEC_AUDIT_GID
17163 + int "GID for auditing"
17164 + depends on GRKERNSEC_AUDIT_GROUP
17167 +config GRKERNSEC_EXECLOG
17168 + bool "Exec logging"
17170 + If you say Y here, all execve() calls will be logged (since the
17171 + other exec*() calls are frontends to execve(), all execution
17172 + will be logged). Useful for shell-servers that like to keep track
17173 + of their users. If the sysctl option is enabled, a sysctl option with
17174 + name "exec_logging" is created.
17175 + WARNING: This option when enabled will produce a LOT of logs, especially
17176 + on an active system.
17178 +config GRKERNSEC_RESLOG
17179 + bool "Resource logging"
17181 + If you say Y here, all attempts to overstep resource limits will
17182 + be logged with the resource name, the requested size, and the current
17183 + limit. It is highly recommended that you say Y here.
17185 +config GRKERNSEC_CHROOT_EXECLOG
17186 + bool "Log execs within chroot"
17188 + If you say Y here, all executions inside a chroot jail will be logged
17189 + to syslog. This can cause a large amount of logs if certain
17190 + applications (eg. djb's daemontools) are installed on the system, and
17191 + is therefore left as an option. If the sysctl option is enabled, a
17192 + sysctl option with name "chroot_execlog" is created.
17194 +config GRKERNSEC_AUDIT_CHDIR
17195 + bool "Chdir logging"
17197 + If you say Y here, all chdir() calls will be logged. If the sysctl
17198 + option is enabled, a sysctl option with name "audit_chdir" is created.
17200 +config GRKERNSEC_AUDIT_MOUNT
17201 + bool "(Un)Mount logging"
17203 + If you say Y here, all mounts and unmounts will be logged. If the
17204 + sysctl option is enabled, a sysctl option with name "audit_mount" is
17207 +config GRKERNSEC_AUDIT_IPC
17208 + bool "IPC logging"
17210 + If you say Y here, creation and removal of message queues, semaphores,
17211 + and shared memory will be logged. If the sysctl option is enabled, a
17212 + sysctl option with name "audit_ipc" is created.
17214 +config GRKERNSEC_SIGNAL
17215 + bool "Signal logging"
17217 + If you say Y here, certain important signals will be logged, such as
17218 + SIGSEGV, which will as a result inform you of when a error in a program
17219 + occurred, which in some cases could mean a possible exploit attempt.
17220 + If the sysctl option is enabled, a sysctl option with name
17221 + "signal_logging" is created.
17223 +config GRKERNSEC_FORKFAIL
17224 + bool "Fork failure logging"
17226 + If you say Y here, all failed fork() attempts will be logged.
17227 + This could suggest a fork bomb, or someone attempting to overstep
17228 + their process limit. If the sysctl option is enabled, a sysctl option
17229 + with name "forkfail_logging" is created.
17231 +config GRKERNSEC_TIME
17232 + bool "Time change logging"
17234 + If you say Y here, any changes of the system clock will be logged.
17235 + If the sysctl option is enabled, a sysctl option with name
17236 + "timechange_logging" is created.
17238 +config GRKERNSEC_PROC_IPADDR
17239 + bool "/proc/<pid>/ipaddr support"
17241 + If you say Y here, a new entry will be added to each /proc/<pid>
17242 + directory that contains the IP address of the person using the task.
17243 + The IP is carried across local TCP and AF_UNIX stream sockets.
17244 + This information can be useful for IDS/IPSes to perform remote response
17245 + to a local attack. The entry is readable by only the owner of the
17246 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
17247 + the RBAC system), and thus does not create privacy concerns.
17249 +config GRKERNSEC_AUDIT_TEXTREL
17250 + bool 'ELF text relocations logging (READ HELP)'
17251 + depends on PAX_MPROTECT
17253 + If you say Y here, text relocations will be logged with the filename
17254 + of the offending library or binary. The purpose of the feature is
17255 + to help Linux distribution developers get rid of libraries and
17256 + binaries that need text relocations which hinder the future progress
17257 + of PaX. Only Linux distribution developers should say Y here, and
17258 + never on a production machine, as this option creates an information
17259 + leak that could aid an attacker in defeating the randomization of
17260 + a single memory region. If the sysctl option is enabled, a sysctl
17261 + option with name "audit_textrel" is created.
17265 +menu "Executable Protections"
17266 +depends on GRKERNSEC
17268 +config GRKERNSEC_EXECVE
17269 + bool "Enforce RLIMIT_NPROC on execs"
17271 + If you say Y here, users with a resource limit on processes will
17272 + have the value checked during execve() calls. The current system
17273 + only checks the system limit during fork() calls. If the sysctl option
17274 + is enabled, a sysctl option with name "execve_limiting" is created.
17276 +config GRKERNSEC_SHM
17277 + bool "Destroy unused shared memory"
17278 + depends on SYSVIPC
17280 + If you say Y here, shared memory will be destroyed when no one is
17281 + attached to it. Otherwise, resources involved with the shared
17282 + memory can be used up and not be associated with any process (as the
17283 + shared memory still exists, and the creating process has exited). If
17284 + the sysctl option is enabled, a sysctl option with name
17285 + "destroy_unused_shm" is created.
17287 +config GRKERNSEC_DMESG
17288 + bool "Dmesg(8) restriction"
17290 + If you say Y here, non-root users will not be able to use dmesg(8)
17291 + to view up to the last 4kb of messages in the kernel's log buffer.
17292 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
17295 +config GRKERNSEC_RANDPID
17296 + bool "Randomized PIDs"
17298 + If you say Y here, all PIDs created on the system will be
17299 + pseudo-randomly generated. This is extremely effective along
17300 + with the /proc restrictions to disallow an attacker from guessing
17301 + pids of daemons, etc. PIDs are also used in some cases as part
17302 + of a naming system for temporary files, so this option would keep
17303 + those filenames from being predicted as well. We also use code
17304 + to make sure that PID numbers aren't reused too soon. If the sysctl
17305 + option is enabled, a sysctl option with name "rand_pids" is created.
17307 +config GRKERNSEC_TPE
17308 + bool "Trusted Path Execution (TPE)"
17310 + If you say Y here, you will be able to choose a gid to add to the
17311 + supplementary groups of users you want to mark as "untrusted."
17312 + These users will not be able to execute any files that are not in
17313 + root-owned directories writable only by root. If the sysctl option
17314 + is enabled, a sysctl option with name "tpe" is created.
17316 +config GRKERNSEC_TPE_ALL
17317 + bool "Partially restrict non-root users"
17318 + depends on GRKERNSEC_TPE
17320 + If you say Y here, All non-root users other than the ones in the
17321 + group specified in the main TPE option will only be allowed to
17322 + execute files in directories they own that are not group or
17323 + world-writable, or in directories owned by root and writable only by
17324 + root. If the sysctl option is enabled, a sysctl option with name
17325 + "tpe_restrict_all" is created.
17327 +config GRKERNSEC_TPE_INVERT
17328 + bool "Invert GID option"
17329 + depends on GRKERNSEC_TPE
17331 + If you say Y here, the group you specify in the TPE configuration will
17332 + decide what group TPE restrictions will be *disabled* for. This
17333 + option is useful if you want TPE restrictions to be applied to most
17334 + users on the system.
17336 +config GRKERNSEC_TPE_GID
17337 + int "GID for untrusted users"
17338 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
17341 + If you have selected the "Invert GID option" above, setting this
17342 + GID determines what group TPE restrictions will be *disabled* for.
17343 + If you have not selected the "Invert GID option" above, setting this
17344 + GID determines what group TPE restrictions will be *enabled* for.
17345 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17348 +config GRKERNSEC_TPE_GID
17349 + int "GID for trusted users"
17350 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
17353 + If you have selected the "Invert GID option" above, setting this
17354 + GID determines what group TPE restrictions will be *disabled* for.
17355 + If you have not selected the "Invert GID option" above, setting this
17356 + GID determines what group TPE restrictions will be *enabled* for.
17357 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17361 +menu "Network Protections"
17362 +depends on GRKERNSEC
17364 +config GRKERNSEC_RANDNET
17365 + bool "Larger entropy pools"
17367 + If you say Y here, the entropy pools used for many features of Linux
17368 + and grsecurity will be doubled in size. Since several grsecurity
17369 + features use additional randomness, it is recommended that you say Y
17370 + here. Saying Y here has a similar effect as modifying
17371 + /proc/sys/kernel/random/poolsize.
17373 +config GRKERNSEC_SOCKET
17374 + bool "Socket restrictions"
17376 + If you say Y here, you will be able to choose from several options.
17377 + If you assign a GID on your system and add it to the supplementary
17378 + groups of users you want to restrict socket access to, this patch
17379 + will perform up to three things, based on the option(s) you choose.
17381 +config GRKERNSEC_SOCKET_ALL
17382 + bool "Deny any sockets to group"
17383 + depends on GRKERNSEC_SOCKET
17385 + If you say Y here, you will be able to choose a GID of whose users will
17386 + be unable to connect to other hosts from your machine or run server
17387 + applications from your machine. If the sysctl option is enabled, a
17388 + sysctl option with name "socket_all" is created.
17390 +config GRKERNSEC_SOCKET_ALL_GID
17391 + int "GID to deny all sockets for"
17392 + depends on GRKERNSEC_SOCKET_ALL
17395 + Here you can choose the GID to disable socket access for. Remember to
17396 + add the users you want socket access disabled for to the GID
17397 + specified here. If the sysctl option is enabled, a sysctl option
17398 + with name "socket_all_gid" is created.
17400 +config GRKERNSEC_SOCKET_CLIENT
17401 + bool "Deny client sockets to group"
17402 + depends on GRKERNSEC_SOCKET
17404 + If you say Y here, you will be able to choose a GID of whose users will
17405 + be unable to connect to other hosts from your machine, but will be
17406 + able to run servers. If this option is enabled, all users in the group
17407 + you specify will have to use passive mode when initiating ftp transfers
17408 + from the shell on your machine. If the sysctl option is enabled, a
17409 + sysctl option with name "socket_client" is created.
17411 +config GRKERNSEC_SOCKET_CLIENT_GID
17412 + int "GID to deny client sockets for"
17413 + depends on GRKERNSEC_SOCKET_CLIENT
17416 + Here you can choose the GID to disable client socket access for.
17417 + Remember to add the users you want client socket access disabled for to
17418 + the GID specified here. If the sysctl option is enabled, a sysctl
17419 + option with name "socket_client_gid" is created.
17421 +config GRKERNSEC_SOCKET_SERVER
17422 + bool "Deny server sockets to group"
17423 + depends on GRKERNSEC_SOCKET
17425 + If you say Y here, you will be able to choose a GID of whose users will
17426 + be unable to run server applications from your machine. If the sysctl
17427 + option is enabled, a sysctl option with name "socket_server" is created.
17429 +config GRKERNSEC_SOCKET_SERVER_GID
17430 + int "GID to deny server sockets for"
17431 + depends on GRKERNSEC_SOCKET_SERVER
17434 + Here you can choose the GID to disable server socket access for.
17435 + Remember to add the users you want server socket access disabled for to
17436 + the GID specified here. If the sysctl option is enabled, a sysctl
17437 + option with name "socket_server_gid" is created.
17440 +menu "Sysctl support"
17441 +depends on GRKERNSEC && SYSCTL
17443 +config GRKERNSEC_SYSCTL
17444 + bool "Sysctl support"
17446 + If you say Y here, you will be able to change the options that
17447 + grsecurity runs with at bootup, without having to recompile your
17448 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
17449 + to enable (1) or disable (0) various features. All the sysctl entries
17450 + are mutable until the "grsec_lock" entry is set to a non-zero value.
17451 + All features enabled in the kernel configuration are disabled at boot
17452 + if you do not say Y to the "Turn on features by default" option.
17453 + All options should be set at startup, and the grsec_lock entry should
17454 + be set to a non-zero value after all the options are set.
17455 + *THIS IS EXTREMELY IMPORTANT*
17457 +config GRKERNSEC_SYSCTL_ON
17458 + bool "Turn on features by default"
17459 + depends on GRKERNSEC_SYSCTL
17461 + If you say Y here, instead of having all features enabled in the
17462 + kernel configuration disabled at boot time, the features will be
17463 + enabled at boot time. It is recommended you say Y here unless
17464 + there is some reason you would want all sysctl-tunable features to
17465 + be disabled by default. As mentioned elsewhere, it is important
17466 + to enable the grsec_lock entry once you have finished modifying
17467 + the sysctl entries.
17470 +menu "Logging Options"
17471 +depends on GRKERNSEC
17473 +config GRKERNSEC_FLOODTIME
17474 + int "Seconds in between log messages (minimum)"
17477 + This option allows you to enforce the number of seconds between
17478 + grsecurity log messages. The default should be suitable for most
17479 + people, however, if you choose to change it, choose a value small enough
17480 + to allow informative logs to be produced, but large enough to
17481 + prevent flooding.
17483 +config GRKERNSEC_FLOODBURST
17484 + int "Number of messages in a burst (maximum)"
17487 + This option allows you to choose the maximum number of messages allowed
17488 + within the flood time interval you chose in a separate option. The
17489 + default should be suitable for most people, however if you find that
17490 + many of your logs are being interpreted as flooding, you may want to
17491 + raise this value.
17496 diff -urNp linux-2.6.16.12/grsecurity/Makefile linux-2.6.16.12/grsecurity/Makefile
17497 --- linux-2.6.16.12/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
17498 +++ linux-2.6.16.12/grsecurity/Makefile 2006-05-01 20:17:34.000000000 -0400
17500 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
17501 +# during 2001-2005 it has been completely redesigned by Brad Spengler
17502 +# into an RBAC system
17504 +# All code in this directory and various hooks inserted throughout the kernel
17505 +# are copyright Brad Spengler, and released under the GPL v2 or higher
17507 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
17508 + grsec_mount.o grsec_rand.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
17509 + grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
17511 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
17512 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
17513 + gracl_learn.o grsec_log.o
17514 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
17516 +ifndef CONFIG_GRKERNSEC
17517 +obj-y += grsec_disabled.o
17520 diff -urNp linux-2.6.16.12/include/asm-alpha/a.out.h linux-2.6.16.12/include/asm-alpha/a.out.h
17521 --- linux-2.6.16.12/include/asm-alpha/a.out.h 2006-05-01 15:14:26.000000000 -0400
17522 +++ linux-2.6.16.12/include/asm-alpha/a.out.h 2006-05-01 20:17:34.000000000 -0400
17523 @@ -98,7 +98,7 @@ struct exec
17524 set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
17525 ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
17527 -#define STACK_TOP \
17528 +#define __STACK_TOP \
17529 (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
17532 diff -urNp linux-2.6.16.12/include/asm-alpha/elf.h linux-2.6.16.12/include/asm-alpha/elf.h
17533 --- linux-2.6.16.12/include/asm-alpha/elf.h 2006-05-01 15:14:26.000000000 -0400
17534 +++ linux-2.6.16.12/include/asm-alpha/elf.h 2006-05-01 20:17:34.000000000 -0400
17535 @@ -91,6 +91,17 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
17537 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
17539 +#ifdef CONFIG_PAX_ASLR
17540 +#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
17542 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
17543 +#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 28)
17544 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
17545 +#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 28)
17546 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
17547 +#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 19)
17550 /* $0 is set by ld.so to a pointer to a function which might be
17551 registered using atexit. This provides a mean for the dynamic
17552 linker to call DT_FINI functions for shared libraries that have
17553 diff -urNp linux-2.6.16.12/include/asm-alpha/page.h linux-2.6.16.12/include/asm-alpha/page.h
17554 --- linux-2.6.16.12/include/asm-alpha/page.h 2006-05-01 15:14:26.000000000 -0400
17555 +++ linux-2.6.16.12/include/asm-alpha/page.h 2006-05-01 20:17:34.000000000 -0400
17556 @@ -98,6 +98,15 @@ typedef unsigned long pgprot_t;
17557 #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
17558 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
17560 +#ifdef CONFIG_PAX_PAGEEXEC
17561 +#ifdef CONFIG_PAX_MPROTECT
17562 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
17563 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
17565 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
17569 #endif /* __KERNEL__ */
17571 #include <asm-generic/page.h>
17572 diff -urNp linux-2.6.16.12/include/asm-alpha/pgtable.h linux-2.6.16.12/include/asm-alpha/pgtable.h
17573 --- linux-2.6.16.12/include/asm-alpha/pgtable.h 2006-05-01 15:14:26.000000000 -0400
17574 +++ linux-2.6.16.12/include/asm-alpha/pgtable.h 2006-05-01 20:17:34.000000000 -0400
17575 @@ -102,6 +102,17 @@ struct vm_area_struct;
17576 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
17577 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
17578 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
17580 +#ifdef CONFIG_PAX_PAGEEXEC
17581 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
17582 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
17583 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
17585 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
17586 +# define PAGE_COPY_NOEXEC PAGE_COPY
17587 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
17590 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
17592 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
17593 diff -urNp linux-2.6.16.12/include/asm-arm/a.out.h linux-2.6.16.12/include/asm-arm/a.out.h
17594 --- linux-2.6.16.12/include/asm-arm/a.out.h 2006-05-01 15:14:26.000000000 -0400
17595 +++ linux-2.6.16.12/include/asm-arm/a.out.h 2006-05-01 20:17:34.000000000 -0400
17596 @@ -28,7 +28,7 @@ struct exec
17600 -#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
17601 +#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
17602 TASK_SIZE : TASK_SIZE_26)
17605 diff -urNp linux-2.6.16.12/include/asm-arm/elf.h linux-2.6.16.12/include/asm-arm/elf.h
17606 --- linux-2.6.16.12/include/asm-arm/elf.h 2006-05-01 15:14:26.000000000 -0400
17607 +++ linux-2.6.16.12/include/asm-arm/elf.h 2006-05-01 20:17:34.000000000 -0400
17608 @@ -56,6 +56,17 @@ typedef struct user_fp elf_fpregset_t;
17610 #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
17612 +#ifdef CONFIG_PAX_ASLR
17613 +#define PAX_ELF_ET_DYN_BASE(tsk) 0x00008000UL
17615 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
17616 +#define PAX_DELTA_MMAP_LEN(tsk) ((tsk->personality == PER_LINUX_32BIT) ? 16 : 10)
17617 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
17618 +#define PAX_DELTA_EXEC_LEN(tsk) ((tsk->personality == PER_LINUX_32BIT) ? 16 : 10)
17619 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
17620 +#define PAX_DELTA_STACK_LEN(tsk) ((tsk->personality == PER_LINUX_32BIT) ? 16 : 10)
17623 /* When the program starts, a1 contains a pointer to a function to be
17624 registered with atexit, as per the SVR4 ABI. A value of 0 means we
17625 have no such handler. */
17626 diff -urNp linux-2.6.16.12/include/asm-i386/a.out.h linux-2.6.16.12/include/asm-i386/a.out.h
17627 --- linux-2.6.16.12/include/asm-i386/a.out.h 2006-05-01 15:14:26.000000000 -0400
17628 +++ linux-2.6.16.12/include/asm-i386/a.out.h 2006-05-01 20:17:34.000000000 -0400
17629 @@ -19,7 +19,11 @@ struct exec
17633 -#define STACK_TOP TASK_SIZE
17634 +#ifdef CONFIG_PAX_SEGMEXEC
17635 +#define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
17637 +#define __STACK_TOP TASK_SIZE
17642 diff -urNp linux-2.6.16.12/include/asm-i386/auxvec.h linux-2.6.16.12/include/asm-i386/auxvec.h
17643 --- linux-2.6.16.12/include/asm-i386/auxvec.h 2006-05-01 15:14:26.000000000 -0400
17644 +++ linux-2.6.16.12/include/asm-i386/auxvec.h 2006-05-01 20:17:34.000000000 -0400
17646 * Architecture-neutral AT_ values in 0-17, leave some room
17647 * for more of them, start the x86-specific ones at 32.
17649 +#ifndef CONFIG_PAX_NOVSYSCALL
17650 #define AT_SYSINFO 32
17651 #define AT_SYSINFO_EHDR 33
17655 diff -urNp linux-2.6.16.12/include/asm-i386/desc.h linux-2.6.16.12/include/asm-i386/desc.h
17656 --- linux-2.6.16.12/include/asm-i386/desc.h 2006-05-01 15:14:26.000000000 -0400
17657 +++ linux-2.6.16.12/include/asm-i386/desc.h 2006-05-01 20:17:34.000000000 -0400
17658 @@ -10,11 +10,13 @@
17660 #include <linux/preempt.h>
17661 #include <linux/smp.h>
17662 -#include <linux/percpu.h>
17663 +#include <linux/sched.h>
17665 #include <asm/mmu.h>
17666 +#include <asm/pgtable.h>
17667 +#include <asm/tlbflush.h>
17669 -extern struct desc_struct cpu_gdt_table[GDT_ENTRIES];
17670 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
17672 DECLARE_PER_CPU(unsigned char, cpu_16bit_stack[CPU_16BIT_STACK_SIZE]);
17674 @@ -24,13 +26,53 @@ struct Xgt_desc_struct {
17675 unsigned short pad;
17676 } __attribute__ ((packed));
17678 -extern struct Xgt_desc_struct idt_descr;
17679 -DECLARE_PER_CPU(struct Xgt_desc_struct, cpu_gdt_descr);
17681 +extern struct Xgt_desc_struct idt_descr, cpu_gdt_descr[NR_CPUS];
17683 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
17685 - return (struct desc_struct *)per_cpu(cpu_gdt_descr, cpu).address;
17686 + return cpu_gdt_table[cpu];
17689 +#define pax_open_kernel(cr0) \
17691 + typecheck(unsigned long,cr0); \
17692 + preempt_disable(); \
17693 + cr0 = read_cr0(); \
17694 + write_cr0(cr0 & ~0x10000UL); \
17697 +#define pax_close_kernel(cr0) \
17699 + typecheck(unsigned long,cr0); \
17700 + write_cr0(cr0); \
17701 + preempt_enable_no_resched(); \
17704 +static inline void set_user_cs(struct mm_struct *mm, int cpu)
17706 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17707 + unsigned long base = mm->context.user_cs_base;
17708 + unsigned long limit = mm->context.user_cs_limit;
17710 +#ifdef CONFIG_PAX_KERNEXEC
17711 + unsigned long cr0;
17713 + pax_open_kernel(cr0);
17716 + if (likely(limit)) {
17721 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].a = (limit & 0xFFFFUL) | (base << 16);
17722 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].b = (limit & 0xF0000UL) | 0xC0FB00UL | (base & 0xFF000000UL) | ((base >> 16) & 0xFFUL);
17724 +#ifdef CONFIG_PAX_KERNEXEC
17725 + pax_close_kernel(cr0);
17731 #define load_TR_desc() __asm__ __volatile__("ltr %w0"::"q" (GDT_ENTRY_TSS*8))
17732 @@ -50,7 +92,7 @@ static inline struct desc_struct *get_cp
17733 * This is the ldt that every process will get unless we need
17734 * something other than this.
17736 -extern struct desc_struct default_ldt[];
17737 +extern const struct desc_struct default_ldt[];
17738 extern void set_intr_gate(unsigned int irq, void * addr);
17740 #define _set_tssldt_desc(n,addr,limit,type) \
17741 @@ -64,7 +106,7 @@ __asm__ __volatile__ ("movw %w3,0(%2)\n\
17743 : "=m"(*(n)) : "q" (addr), "r"(n), "ir"(limit), "i"(type))
17745 -static inline void __set_tss_desc(unsigned int cpu, unsigned int entry, void *addr)
17746 +static inline void __set_tss_desc(unsigned int cpu, unsigned int entry, const void *addr)
17748 _set_tssldt_desc(&get_cpu_gdt_table(cpu)[entry], (int)addr,
17749 offsetof(struct tss_struct, __cacheline_filler) - 1, 0x89);
17750 @@ -72,11 +114,28 @@ static inline void __set_tss_desc(unsign
17752 #define set_tss_desc(cpu,addr) __set_tss_desc(cpu, GDT_ENTRY_TSS, addr)
17754 -static inline void set_ldt_desc(unsigned int cpu, void *addr, unsigned int size)
17755 +static inline void __set_ldt_desc(unsigned int cpu, const void *addr, unsigned int size)
17757 _set_tssldt_desc(&get_cpu_gdt_table(cpu)[GDT_ENTRY_LDT], (int)addr, ((size << 3)-1), 0x82);
17760 +static inline void set_ldt_desc(unsigned int cpu, const void *addr, unsigned int size)
17763 +#ifdef CONFIG_PAX_KERNEXEC
17764 + unsigned long cr0;
17766 + pax_open_kernel(cr0);
17769 + _set_tssldt_desc(&get_cpu_gdt_table(cpu)[GDT_ENTRY_LDT], (int)addr, ((size << 3)-1), 0x82);
17771 +#ifdef CONFIG_PAX_KERNEXEC
17772 + pax_close_kernel(cr0);
17777 #define LDT_entry_a(info) \
17778 ((((info)->base_addr & 0x0000ffff) << 16) | ((info)->limit & 0x0ffff))
17780 @@ -90,7 +149,7 @@ static inline void set_ldt_desc(unsigned
17781 ((info)->seg_32bit << 22) | \
17782 ((info)->limit_in_pages << 23) | \
17783 ((info)->useable << 20) | \
17787 #define LDT_empty(info) (\
17788 (info)->base_addr == 0 && \
17789 @@ -134,7 +193,7 @@ static inline void clear_LDT(void)
17791 static inline void load_LDT_nolock(mm_context_t *pc, int cpu)
17793 - void *segments = pc->ldt;
17794 + const void *segments = pc->ldt;
17795 int count = pc->size;
17797 if (likely(!count)) {
17798 @@ -162,6 +221,22 @@ static inline unsigned long get_desc_bas
17802 +static inline void _load_LDT(mm_context_t *pc)
17804 + int cpu = get_cpu();
17805 + const void *segments = pc->ldt;
17806 + int count = pc->size;
17808 + if (likely(!count)) {
17809 + segments = &default_ldt[0];
17813 + __set_ldt_desc(cpu, segments, count);
17818 #endif /* !__ASSEMBLY__ */
17821 diff -urNp linux-2.6.16.12/include/asm-i386/elf.h linux-2.6.16.12/include/asm-i386/elf.h
17822 --- linux-2.6.16.12/include/asm-i386/elf.h 2006-05-01 15:14:26.000000000 -0400
17823 +++ linux-2.6.16.12/include/asm-i386/elf.h 2006-05-01 20:17:34.000000000 -0400
17824 @@ -71,7 +71,22 @@ typedef struct user_fxsr_struct elf_fpxr
17825 the loader. We need to make sure that it is out of the way of the program
17826 that it will "exec", and that there is sufficient room for the brk. */
17828 +#ifdef CONFIG_PAX_SEGMEXEC
17829 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
17831 #define ELF_ET_DYN_BASE ((TASK_UNMAPPED_BASE) * 2)
17834 +#ifdef CONFIG_PAX_ASLR
17835 +#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000000UL
17837 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
17838 +#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
17839 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
17840 +#define PAX_DELTA_EXEC_LEN(tsk) 15
17841 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
17842 +#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
17845 /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
17846 now struct_user_regs, they are different) */
17847 @@ -131,7 +146,14 @@ extern int dump_task_extended_fpu (struc
17849 #define VSYSCALL_BASE (__fix_to_virt(FIX_VSYSCALL))
17850 #define VSYSCALL_EHDR ((const struct elfhdr *) VSYSCALL_BASE)
17852 +#ifndef CONFIG_PAX_NOVSYSCALL
17853 +#ifdef CONFIG_PAX_SEGMEXEC
17854 +#define VSYSCALL_ENTRY ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? (unsigned long) &__kernel_vsyscall - SEGMEXEC_TASK_SIZE : (unsigned long) &__kernel_vsyscall)
17856 #define VSYSCALL_ENTRY ((unsigned long) &__kernel_vsyscall)
17859 extern void __kernel_vsyscall;
17861 #define ARCH_DLINFO \
17862 @@ -187,3 +209,5 @@ do { \
17868 diff -urNp linux-2.6.16.12/include/asm-i386/i387.h linux-2.6.16.12/include/asm-i386/i387.h
17869 --- linux-2.6.16.12/include/asm-i386/i387.h 2006-05-01 15:14:26.000000000 -0400
17870 +++ linux-2.6.16.12/include/asm-i386/i387.h 2006-05-01 20:17:34.000000000 -0400
17871 @@ -31,8 +31,8 @@ extern void init_fpu(struct task_struct
17873 #define restore_fpu(tsk) \
17874 alternative_input( \
17875 - "nop ; frstor %1", \
17877 + "nop ; frstor %2", \
17879 X86_FEATURE_FXSR, \
17880 "m" ((tsk)->thread.i387.fxsave))
17882 diff -urNp linux-2.6.16.12/include/asm-i386/mach-default/apm.h linux-2.6.16.12/include/asm-i386/mach-default/apm.h
17883 --- linux-2.6.16.12/include/asm-i386/mach-default/apm.h 2006-05-01 15:14:26.000000000 -0400
17884 +++ linux-2.6.16.12/include/asm-i386/mach-default/apm.h 2006-05-01 20:17:34.000000000 -0400
17885 @@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
17886 __asm__ __volatile__(APM_DO_ZERO_SEGS
17889 - "lcall *%%cs:apm_bios_entry\n\t"
17890 + "lcall *%%ss:apm_bios_entry\n\t"
17894 @@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
17895 __asm__ __volatile__(APM_DO_ZERO_SEGS
17898 - "lcall *%%cs:apm_bios_entry\n\t"
17899 + "lcall *%%ss:apm_bios_entry\n\t"
17903 diff -urNp linux-2.6.16.12/include/asm-i386/mman.h linux-2.6.16.12/include/asm-i386/mman.h
17904 --- linux-2.6.16.12/include/asm-i386/mman.h 2006-05-01 15:14:26.000000000 -0400
17905 +++ linux-2.6.16.12/include/asm-i386/mman.h 2006-05-01 20:17:34.000000000 -0400
17907 #define MAP_POPULATE 0x8000 /* populate (prefault) pagetables */
17908 #define MAP_NONBLOCK 0x10000 /* do not block on IO */
17910 +#ifdef CONFIG_PAX_SEGMEXEC
17911 +#define MAP_MIRROR 0x20000
17914 #define MCL_CURRENT 1 /* lock all current mappings */
17915 #define MCL_FUTURE 2 /* lock all future mappings */
17917 diff -urNp linux-2.6.16.12/include/asm-i386/mmu_context.h linux-2.6.16.12/include/asm-i386/mmu_context.h
17918 --- linux-2.6.16.12/include/asm-i386/mmu_context.h 2006-05-01 15:14:26.000000000 -0400
17919 +++ linux-2.6.16.12/include/asm-i386/mmu_context.h 2006-05-01 20:17:34.000000000 -0400
17920 @@ -46,6 +46,13 @@ static inline void switch_mm(struct mm_s
17922 if (unlikely(prev->context.ldt != next->context.ldt))
17923 load_LDT_nolock(&next->context, cpu);
17925 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
17926 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
17927 + cpu_set(cpu, next->context.cpu_user_cs_mask);
17930 + set_user_cs(next, cpu);
17934 @@ -58,6 +65,12 @@ static inline void switch_mm(struct mm_s
17936 load_cr3(next->pgd);
17937 load_LDT_nolock(&next->context, cpu);
17939 +#ifdef CONFIG_PAX_PAGEEXEC
17940 + cpu_set(cpu, next->context.cpu_user_cs_mask);
17943 + set_user_cs(next, cpu);
17947 diff -urNp linux-2.6.16.12/include/asm-i386/mmu.h linux-2.6.16.12/include/asm-i386/mmu.h
17948 --- linux-2.6.16.12/include/asm-i386/mmu.h 2006-05-01 15:14:26.000000000 -0400
17949 +++ linux-2.6.16.12/include/asm-i386/mmu.h 2006-05-01 20:17:34.000000000 -0400
17950 @@ -12,6 +12,17 @@ typedef struct {
17952 struct semaphore sem;
17955 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17956 + unsigned long user_cs_base;
17957 + unsigned long user_cs_limit;
17959 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
17960 + cpumask_t cpu_user_cs_mask;
17968 diff -urNp linux-2.6.16.12/include/asm-i386/module.h linux-2.6.16.12/include/asm-i386/module.h
17969 --- linux-2.6.16.12/include/asm-i386/module.h 2006-05-01 15:14:26.000000000 -0400
17970 +++ linux-2.6.16.12/include/asm-i386/module.h 2006-05-01 20:17:34.000000000 -0400
17971 @@ -72,6 +72,12 @@ struct mod_arch_specific
17972 #define MODULE_STACKSIZE ""
17975 -#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE
17976 +#ifdef CONFIG_GRKERNSEC
17977 +#define MODULE_GRSEC "GRSECURITY "
17979 +#define MODULE_GRSEC ""
17982 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE MODULE_GRSEC
17984 #endif /* _ASM_I386_MODULE_H */
17985 diff -urNp linux-2.6.16.12/include/asm-i386/page.h linux-2.6.16.12/include/asm-i386/page.h
17986 --- linux-2.6.16.12/include/asm-i386/page.h 2006-05-01 15:14:26.000000000 -0400
17987 +++ linux-2.6.16.12/include/asm-i386/page.h 2006-05-01 20:17:34.000000000 -0400
17988 @@ -57,7 +57,6 @@ typedef struct { unsigned long long pgpr
17989 typedef struct { unsigned long pte_low; } pte_t;
17990 typedef struct { unsigned long pgd; } pgd_t;
17991 typedef struct { unsigned long pgprot; } pgprot_t;
17992 -#define boot_pte_t pte_t /* or would you rather have a typedef */
17993 #define pte_val(x) ((x).pte_low)
17994 #define HPAGE_SHIFT 22
17996 @@ -113,6 +112,15 @@ extern int page_is_ram(unsigned long pag
17997 #define __PHYSICAL_START CONFIG_PHYSICAL_START
17998 #define __KERNEL_START (__PAGE_OFFSET + __PHYSICAL_START)
17999 #define __MAXMEM (-__PAGE_OFFSET-__VMALLOC_RESERVE)
18000 +#ifdef CONFIG_PAX_KERNEXEC
18001 +#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + ((__PHYSICAL_START + ~(4*1024*1024)) & (4*1024*1024)))
18002 +#ifndef __ASSEMBLY__
18003 +extern unsigned char MODULES_VADDR[];
18004 +extern unsigned char MODULES_END[];
18007 +#define __KERNEL_TEXT_OFFSET (0)
18010 #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
18011 #define PHYSICAL_START ((unsigned long)__PHYSICAL_START)
18012 @@ -135,6 +143,19 @@ extern int page_is_ram(unsigned long pag
18013 ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
18014 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18016 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18017 +#ifdef CONFIG_PAX_MPROTECT
18018 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18019 + ((current->mm->pax_flags & (MF_PAX_PAGEEXEC|MF_PAX_SEGMEXEC))?0:VM_EXEC))
18021 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & (MF_PAX_PAGEEXEC|MF_PAX_SEGMEXEC))?0:VM_EXEC))
18025 +#ifdef CONFIG_PAX_PAGEEXEC
18026 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
18029 #endif /* __KERNEL__ */
18031 #include <asm-generic/page.h>
18032 diff -urNp linux-2.6.16.12/include/asm-i386/pgalloc.h linux-2.6.16.12/include/asm-i386/pgalloc.h
18033 --- linux-2.6.16.12/include/asm-i386/pgalloc.h 2006-05-01 15:14:26.000000000 -0400
18034 +++ linux-2.6.16.12/include/asm-i386/pgalloc.h 2006-05-01 20:17:34.000000000 -0400
18037 #include <linux/config.h>
18038 #include <asm/fixmap.h>
18039 +#include <asm/desc.h>
18040 #include <linux/threads.h>
18041 #include <linux/mm.h> /* for struct page */
18043 #define pmd_populate_kernel(mm, pmd, pte) \
18044 - set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte)))
18045 + set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte)))
18047 #define pmd_populate(mm, pmd, pte) \
18048 set_pmd(pmd, __pmd(_PAGE_TABLE + \
18049 diff -urNp linux-2.6.16.12/include/asm-i386/pgtable.h linux-2.6.16.12/include/asm-i386/pgtable.h
18050 --- linux-2.6.16.12/include/asm-i386/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18051 +++ linux-2.6.16.12/include/asm-i386/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18052 @@ -34,7 +34,6 @@ struct vm_area_struct;
18054 #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
18055 extern unsigned long empty_zero_page[1024];
18056 -extern pgd_t swapper_pg_dir[1024];
18057 extern kmem_cache_t *pgd_cache;
18058 extern kmem_cache_t *pmd_cache;
18059 extern spinlock_t pgd_lock;
18060 @@ -59,6 +58,11 @@ void paging_init(void);
18061 # include <asm/pgtable-2level-defs.h>
18064 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
18065 +#ifdef CONFIG_X86_PAE
18066 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
18069 #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
18070 #define PGDIR_MASK (~(PGDIR_SIZE-1))
18072 @@ -68,9 +72,11 @@ void paging_init(void);
18073 #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
18074 #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
18076 +#ifndef CONFIG_X86_PAE
18077 #define TWOLEVEL_PGDIR_SHIFT 22
18078 #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
18079 #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
18082 /* Just any arbitrary offset to the start of the vmalloc VM area: the
18083 * current 8MB value just means that there will be a 8MB "hole" after the
18084 @@ -141,17 +147,26 @@ void paging_init(void);
18086 #define PAGE_SHARED_EXEC \
18087 __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
18088 -#define PAGE_COPY_NOEXEC \
18089 - __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
18090 #define PAGE_COPY_EXEC \
18091 __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
18092 -#define PAGE_COPY \
18094 #define PAGE_READONLY \
18095 __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
18096 #define PAGE_READONLY_EXEC \
18097 __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
18099 +#ifdef CONFIG_PAX_PAGEEXEC
18100 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED)
18101 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
18102 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
18104 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
18105 +# define PAGE_COPY_NOEXEC \
18106 + __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
18107 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
18110 +#define PAGE_COPY \
18112 #define _PAGE_KERNEL \
18113 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
18114 #define _PAGE_KERNEL_EXEC \
18115 @@ -176,18 +191,18 @@ extern unsigned long long __PAGE_KERNEL,
18116 * This is the closest we can get..
18118 #define __P000 PAGE_NONE
18119 -#define __P001 PAGE_READONLY
18120 -#define __P010 PAGE_COPY
18121 -#define __P011 PAGE_COPY
18122 +#define __P001 PAGE_READONLY_NOEXEC
18123 +#define __P010 PAGE_COPY_NOEXEC
18124 +#define __P011 PAGE_COPY_NOEXEC
18125 #define __P100 PAGE_READONLY_EXEC
18126 #define __P101 PAGE_READONLY_EXEC
18127 #define __P110 PAGE_COPY_EXEC
18128 #define __P111 PAGE_COPY_EXEC
18130 #define __S000 PAGE_NONE
18131 -#define __S001 PAGE_READONLY
18132 -#define __S010 PAGE_SHARED
18133 -#define __S011 PAGE_SHARED
18134 +#define __S001 PAGE_READONLY_NOEXEC
18135 +#define __S010 PAGE_SHARED_NOEXEC
18136 +#define __S011 PAGE_SHARED_NOEXEC
18137 #define __S100 PAGE_READONLY_EXEC
18138 #define __S101 PAGE_READONLY_EXEC
18139 #define __S110 PAGE_SHARED_EXEC
18140 @@ -432,6 +447,9 @@ extern void noexec_setup(const char *str
18142 #endif /* !__ASSEMBLY__ */
18144 +#define HAVE_ARCH_UNMAPPED_AREA
18145 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
18147 #ifdef CONFIG_FLATMEM
18148 #define kern_addr_valid(addr) (1)
18149 #endif /* CONFIG_FLATMEM */
18150 diff -urNp linux-2.6.16.12/include/asm-i386/processor.h linux-2.6.16.12/include/asm-i386/processor.h
18151 --- linux-2.6.16.12/include/asm-i386/processor.h 2006-05-01 15:14:26.000000000 -0400
18152 +++ linux-2.6.16.12/include/asm-i386/processor.h 2006-05-01 20:17:34.000000000 -0400
18154 #include <linux/cache.h>
18155 #include <linux/config.h>
18156 #include <linux/threads.h>
18157 -#include <asm/percpu.h>
18159 /* flag for disabling the tsc */
18160 extern int tsc_disable;
18161 @@ -90,8 +89,6 @@ struct cpuinfo_x86 {
18163 extern struct cpuinfo_x86 boot_cpu_data;
18164 extern struct cpuinfo_x86 new_cpu_data;
18165 -extern struct tss_struct doublefault_tss;
18166 -DECLARE_PER_CPU(struct tss_struct, init_tss);
18169 extern struct cpuinfo_x86 cpu_data[];
18170 @@ -321,10 +318,19 @@ extern int bootloader_type;
18171 #define __TASK_SIZE (__PAGE_OFFSET)
18172 #define TASK_SIZE ((unsigned long)__TASK_SIZE)
18174 +#ifdef CONFIG_PAX_SEGMEXEC
18175 +#define SEGMEXEC_TASK_SIZE ((PAGE_OFFSET) / 2)
18178 /* This decides where the kernel will search for a free chunk of vm
18179 * space during mmap's.
18182 +#ifdef CONFIG_PAX_SEGMEXEC
18183 +#define TASK_UNMAPPED_BASE (PAGE_ALIGN((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3 : TASK_SIZE/3))
18185 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
18188 #define HAVE_ARCH_PICK_MMAP_LAYOUT
18190 @@ -440,6 +446,9 @@ struct tss_struct {
18192 #define ARCH_MIN_TASKALIGN 16
18194 +extern struct tss_struct doublefault_tss;
18195 +extern struct tss_struct init_tss[NR_CPUS];
18197 struct thread_struct {
18198 /* cached TLS descriptors. */
18199 struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
18200 @@ -468,6 +477,7 @@ struct thread_struct {
18203 #define INIT_THREAD { \
18204 + .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
18205 .vm86_info = NULL, \
18206 .sysenter_cs = __KERNEL_CS, \
18207 .io_bitmap_ptr = NULL, \
18208 @@ -480,7 +490,7 @@ struct thread_struct {
18209 * be within the limit.
18211 #define INIT_TSS { \
18212 - .esp0 = sizeof(init_stack) + (long)&init_stack, \
18213 + .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
18214 .ss0 = __KERNEL_DS, \
18215 .ss1 = __KERNEL_CS, \
18216 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
18217 @@ -556,11 +566,7 @@ void show_trace(struct task_struct *task
18218 unsigned long get_wchan(struct task_struct *p);
18220 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
18221 -#define KSTK_TOP(info) \
18223 - unsigned long *__ptr = (unsigned long *)(info); \
18224 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
18226 +#define KSTK_TOP(info) ((info)->task.thread.esp0)
18229 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
18230 @@ -575,7 +581,7 @@ unsigned long get_wchan(struct task_stru
18231 #define task_pt_regs(task) \
18233 struct pt_regs *__regs__; \
18234 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
18235 + __regs__ = (struct pt_regs *)((task)->thread.esp0); \
18239 @@ -699,7 +705,7 @@ static inline void rep_nop(void)
18240 static inline void prefetch(const void *x)
18242 alternative_input(ASM_NOP4,
18243 - "prefetchnta (%1)",
18244 + "prefetchnta (%2)",
18248 @@ -713,7 +719,7 @@ static inline void prefetch(const void *
18249 static inline void prefetchw(const void *x)
18251 alternative_input(ASM_NOP4,
18252 - "prefetchw (%1)",
18253 + "prefetchw (%2)",
18257 diff -urNp linux-2.6.16.12/include/asm-i386/ptrace.h linux-2.6.16.12/include/asm-i386/ptrace.h
18258 --- linux-2.6.16.12/include/asm-i386/ptrace.h 2006-05-01 15:14:26.000000000 -0400
18259 +++ linux-2.6.16.12/include/asm-i386/ptrace.h 2006-05-01 20:17:34.000000000 -0400
18260 @@ -65,17 +65,18 @@ struct task_struct;
18261 extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
18264 - * user_mode_vm(regs) determines whether a register set came from user mode.
18265 + * user_mode(regs) determines whether a register set came from user mode.
18266 * This is true if V8086 mode was enabled OR if the register set was from
18267 * protected mode with RPL-3 CS value. This tricky test checks that with
18268 * one comparison. Many places in the kernel can bypass this full check
18269 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
18270 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
18273 -static inline int user_mode(struct pt_regs *regs)
18274 +static inline int user_mode_novm(struct pt_regs *regs)
18276 return (regs->xcs & 3) != 0;
18278 -static inline int user_mode_vm(struct pt_regs *regs)
18279 +static inline int user_mode(struct pt_regs *regs)
18281 return ((regs->xcs & 3) | (regs->eflags & VM_MASK)) != 0;
18283 diff -urNp linux-2.6.16.12/include/asm-i386/system.h linux-2.6.16.12/include/asm-i386/system.h
18284 --- linux-2.6.16.12/include/asm-i386/system.h 2006-05-01 15:14:26.000000000 -0400
18285 +++ linux-2.6.16.12/include/asm-i386/system.h 2006-05-01 20:17:34.000000000 -0400
18287 #include <linux/kernel.h>
18288 #include <asm/segment.h>
18289 #include <asm/cpufeature.h>
18290 +#include <asm/page.h>
18291 #include <linux/bitops.h> /* for LOCK_PREFIX */
18294 @@ -151,7 +152,7 @@ static inline unsigned long get_limit(un
18295 unsigned long __limit;
18296 __asm__("lsll %1,%0"
18297 :"=r" (__limit):"r" (segment));
18298 - return __limit+1;
18302 #define nop() __asm__ __volatile__ ("nop")
18303 @@ -379,15 +380,15 @@ struct alt_instr {
18304 asm volatile ("661:\n\t" oldinstr "\n662:\n" \
18305 ".section .altinstructions,\"a\"\n" \
18307 - " .long 661b\n" /* label */ \
18308 + " .long 661b + %c1\n" /* label */ \
18309 " .long 663f\n" /* new instruction */ \
18310 " .byte %c0\n" /* feature bit */ \
18311 " .byte 662b-661b\n" /* sourcelen */ \
18312 " .byte 664f-663f\n" /* replacementlen */ \
18314 - ".section .altinstr_replacement,\"ax\"\n" \
18315 + ".section .altinstr_replacement,\"a\"\n" \
18316 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
18317 - ".previous" :: "i" (feature) : "memory")
18318 + ".previous" :: "i" (feature), "i" (__KERNEL_TEXT_OFFSET) : "memory")
18321 * Alternative inline assembly with input.
18322 @@ -403,15 +404,15 @@ struct alt_instr {
18323 asm volatile ("661:\n\t" oldinstr "\n662:\n" \
18324 ".section .altinstructions,\"a\"\n" \
18326 - " .long 661b\n" /* label */ \
18327 + " .long 661b + %c1\n" /* label */ \
18328 " .long 663f\n" /* new instruction */ \
18329 " .byte %c0\n" /* feature bit */ \
18330 " .byte 662b-661b\n" /* sourcelen */ \
18331 " .byte 664f-663f\n" /* replacementlen */ \
18333 - ".section .altinstr_replacement,\"ax\"\n" \
18334 + ".section .altinstr_replacement,\"a\"\n" \
18335 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
18336 - ".previous" :: "i" (feature), ##input)
18337 + ".previous" :: "i" (feature), "i" (__KERNEL_TEXT_OFFSET), ##input)
18340 * Force strict CPU ordering.
18341 @@ -557,6 +558,6 @@ static inline void sched_cacheflush(void
18345 -extern unsigned long arch_align_stack(unsigned long sp);
18346 +#define arch_align_stack(x) (x)
18349 diff -urNp linux-2.6.16.12/include/asm-ia64/elf.h linux-2.6.16.12/include/asm-ia64/elf.h
18350 --- linux-2.6.16.12/include/asm-ia64/elf.h 2006-05-01 15:14:26.000000000 -0400
18351 +++ linux-2.6.16.12/include/asm-ia64/elf.h 2006-05-01 20:17:34.000000000 -0400
18352 @@ -163,6 +163,16 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
18353 typedef struct ia64_fpreg elf_fpreg_t;
18354 typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
18356 +#ifdef CONFIG_PAX_ASLR
18357 +#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
18359 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18360 +#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
18361 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18362 +#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
18363 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18364 +#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
18368 struct pt_regs; /* forward declaration... */
18369 diff -urNp linux-2.6.16.12/include/asm-ia64/page.h linux-2.6.16.12/include/asm-ia64/page.h
18370 --- linux-2.6.16.12/include/asm-ia64/page.h 2006-05-01 15:14:26.000000000 -0400
18371 +++ linux-2.6.16.12/include/asm-ia64/page.h 2006-05-01 20:17:34.000000000 -0400
18372 @@ -219,4 +219,13 @@ get_order (unsigned long size)
18373 (((current->personality & READ_IMPLIES_EXEC) != 0) \
18376 +#ifdef CONFIG_PAX_PAGEEXEC
18377 +#ifdef CONFIG_PAX_MPROTECT
18378 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18379 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18381 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18385 #endif /* _ASM_IA64_PAGE_H */
18386 diff -urNp linux-2.6.16.12/include/asm-ia64/pgtable.h linux-2.6.16.12/include/asm-ia64/pgtable.h
18387 --- linux-2.6.16.12/include/asm-ia64/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18388 +++ linux-2.6.16.12/include/asm-ia64/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18389 @@ -144,6 +144,17 @@
18390 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
18391 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
18392 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
18394 +#ifdef CONFIG_PAX_PAGEEXEC
18395 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
18396 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
18397 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
18399 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
18400 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
18401 +# define PAGE_COPY_NOEXEC PAGE_COPY
18404 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
18405 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
18406 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
18407 diff -urNp linux-2.6.16.12/include/asm-ia64/processor.h linux-2.6.16.12/include/asm-ia64/processor.h
18408 --- linux-2.6.16.12/include/asm-ia64/processor.h 2006-05-01 15:14:26.000000000 -0400
18409 +++ linux-2.6.16.12/include/asm-ia64/processor.h 2006-05-01 20:17:34.000000000 -0400
18410 @@ -284,7 +284,7 @@ struct thread_struct {
18413 .map_base = DEFAULT_MAP_BASE, \
18414 - .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
18415 + .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
18416 .task_size = DEFAULT_TASK_SIZE, \
18417 .last_fph_cpu = -1, \
18419 diff -urNp linux-2.6.16.12/include/asm-ia64/ustack.h linux-2.6.16.12/include/asm-ia64/ustack.h
18420 --- linux-2.6.16.12/include/asm-ia64/ustack.h 2006-05-01 15:14:26.000000000 -0400
18421 +++ linux-2.6.16.12/include/asm-ia64/ustack.h 2006-05-01 20:17:34.000000000 -0400
18423 #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
18424 /* Make a default stack size of 2GB */
18425 #define DEFAULT_USER_STACK_SIZE (1UL << 31)
18426 -#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
18427 +#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
18429 #endif /* _ASM_IA64_USTACK_H */
18430 diff -urNp linux-2.6.16.12/include/asm-mips/a.out.h linux-2.6.16.12/include/asm-mips/a.out.h
18431 --- linux-2.6.16.12/include/asm-mips/a.out.h 2006-05-01 15:14:26.000000000 -0400
18432 +++ linux-2.6.16.12/include/asm-mips/a.out.h 2006-05-01 20:17:34.000000000 -0400
18433 @@ -36,10 +36,10 @@ struct exec
18436 #ifdef CONFIG_32BIT
18437 -#define STACK_TOP TASK_SIZE
18438 +#define __STACK_TOP TASK_SIZE
18440 #ifdef CONFIG_64BIT
18441 -#define STACK_TOP (current->thread.mflags & MF_32BIT_ADDR ? TASK_SIZE32 : TASK_SIZE)
18442 +#define __STACK_TOP (current->thread.mflags & MF_32BIT_ADDR ? TASK_SIZE32 : TASK_SIZE)
18446 diff -urNp linux-2.6.16.12/include/asm-mips/elf.h linux-2.6.16.12/include/asm-mips/elf.h
18447 --- linux-2.6.16.12/include/asm-mips/elf.h 2006-05-01 15:14:26.000000000 -0400
18448 +++ linux-2.6.16.12/include/asm-mips/elf.h 2006-05-01 20:17:34.000000000 -0400
18449 @@ -331,4 +331,15 @@ extern int dump_task_fpu(struct task_str
18450 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
18453 +#ifdef CONFIG_PAX_ASLR
18454 +#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
18456 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18457 +#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
18458 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18459 +#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
18460 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18461 +#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
18464 #endif /* _ASM_ELF_H */
18465 diff -urNp linux-2.6.16.12/include/asm-mips/page.h linux-2.6.16.12/include/asm-mips/page.h
18466 --- linux-2.6.16.12/include/asm-mips/page.h 2006-05-01 15:14:26.000000000 -0400
18467 +++ linux-2.6.16.12/include/asm-mips/page.h 2006-05-01 20:17:34.000000000 -0400
18468 @@ -151,6 +151,15 @@ typedef struct { unsigned long pgprot; }
18469 #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
18470 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18472 +#ifdef CONFIG_PAX_PAGEEXEC
18473 +#ifdef CONFIG_PAX_MPROTECT
18474 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18475 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18477 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18481 #define UNCAC_ADDR(addr) ((addr) - PAGE_OFFSET + UNCAC_BASE)
18482 #define CAC_ADDR(addr) ((addr) - UNCAC_BASE + PAGE_OFFSET)
18484 diff -urNp linux-2.6.16.12/include/asm-parisc/a.out.h linux-2.6.16.12/include/asm-parisc/a.out.h
18485 --- linux-2.6.16.12/include/asm-parisc/a.out.h 2006-05-01 15:14:26.000000000 -0400
18486 +++ linux-2.6.16.12/include/asm-parisc/a.out.h 2006-05-01 20:17:34.000000000 -0400
18487 @@ -22,7 +22,7 @@ struct exec
18488 /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
18491 -#define STACK_TOP TASK_SIZE
18492 +#define __STACK_TOP TASK_SIZE
18496 diff -urNp linux-2.6.16.12/include/asm-parisc/elf.h linux-2.6.16.12/include/asm-parisc/elf.h
18497 --- linux-2.6.16.12/include/asm-parisc/elf.h 2006-05-01 15:14:26.000000000 -0400
18498 +++ linux-2.6.16.12/include/asm-parisc/elf.h 2006-05-01 20:17:34.000000000 -0400
18499 @@ -337,6 +337,17 @@ struct pt_regs; /* forward declaration..
18501 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
18503 +#ifdef CONFIG_PAX_ASLR
18504 +#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000UL
18506 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18507 +#define PAX_DELTA_MMAP_LEN(tsk) 16
18508 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18509 +#define PAX_DELTA_EXEC_LEN(tsk) 16
18510 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18511 +#define PAX_DELTA_STACK_LEN(tsk) 16
18514 /* This yields a mask that user programs can use to figure out what
18515 instruction set this CPU supports. This could be done in user space,
18516 but it's not easy, and we've already done it here. */
18517 diff -urNp linux-2.6.16.12/include/asm-parisc/page.h linux-2.6.16.12/include/asm-parisc/page.h
18518 --- linux-2.6.16.12/include/asm-parisc/page.h 2006-05-01 15:14:26.000000000 -0400
18519 +++ linux-2.6.16.12/include/asm-parisc/page.h 2006-05-01 20:17:34.000000000 -0400
18520 @@ -150,6 +150,15 @@ extern int npmem_ranges;
18521 #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
18522 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18524 +#ifdef CONFIG_PAX_PAGEEXEC
18525 +#ifdef CONFIG_PAX_MPROTECT
18526 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18527 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18529 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18533 #endif /* __KERNEL__ */
18535 #include <asm-generic/page.h>
18536 diff -urNp linux-2.6.16.12/include/asm-parisc/pgtable.h linux-2.6.16.12/include/asm-parisc/pgtable.h
18537 --- linux-2.6.16.12/include/asm-parisc/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18538 +++ linux-2.6.16.12/include/asm-parisc/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18539 @@ -212,6 +212,17 @@ extern void *vmalloc_start;
18540 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
18541 #define PAGE_COPY PAGE_EXECREAD
18542 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
18544 +#ifdef CONFIG_PAX_PAGEEXEC
18545 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
18546 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
18547 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
18549 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
18550 +# define PAGE_COPY_NOEXEC PAGE_COPY
18551 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
18554 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
18555 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
18556 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
18557 diff -urNp linux-2.6.16.12/include/asm-powerpc/a.out.h linux-2.6.16.12/include/asm-powerpc/a.out.h
18558 --- linux-2.6.16.12/include/asm-powerpc/a.out.h 2006-05-01 15:14:26.000000000 -0400
18559 +++ linux-2.6.16.12/include/asm-powerpc/a.out.h 2006-05-01 20:17:34.000000000 -0400
18560 @@ -23,12 +23,12 @@ struct exec
18561 #define STACK_TOP_USER64 TASK_SIZE_USER64
18562 #define STACK_TOP_USER32 TASK_SIZE_USER32
18564 -#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
18565 +#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
18566 STACK_TOP_USER32 : STACK_TOP_USER64)
18568 #else /* __powerpc64__ */
18570 -#define STACK_TOP TASK_SIZE
18571 +#define __STACK_TOP TASK_SIZE
18573 #endif /* __powerpc64__ */
18574 #endif /* __KERNEL__ */
18575 diff -urNp linux-2.6.16.12/include/asm-powerpc/elf.h linux-2.6.16.12/include/asm-powerpc/elf.h
18576 --- linux-2.6.16.12/include/asm-powerpc/elf.h 2006-05-01 15:14:26.000000000 -0400
18577 +++ linux-2.6.16.12/include/asm-powerpc/elf.h 2006-05-01 20:17:34.000000000 -0400
18578 @@ -176,6 +176,26 @@ typedef elf_vrreg_t elf_vrregset_t32[ELF
18580 #define ELF_ET_DYN_BASE (0x08000000)
18582 +#ifdef CONFIG_PAX_ASLR
18583 +#define PAX_ELF_ET_DYN_BASE(tsk) (0x10000000UL)
18585 +#ifdef __powerpc64__
18586 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18587 +#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 16 : 28)
18588 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18589 +#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 16 : 28)
18590 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18591 +#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 16 : 28)
18593 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18594 +#define PAX_DELTA_MMAP_LEN(tsk) 15
18595 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18596 +#define PAX_DELTA_EXEC_LEN(tsk) 15
18597 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18598 +#define PAX_DELTA_STACK_LEN(tsk) 15
18604 /* Common routine for both 32-bit and 64-bit processes */
18605 diff -urNp linux-2.6.16.12/include/asm-powerpc/page_64.h linux-2.6.16.12/include/asm-powerpc/page_64.h
18606 --- linux-2.6.16.12/include/asm-powerpc/page_64.h 2006-05-01 15:14:26.000000000 -0400
18607 +++ linux-2.6.16.12/include/asm-powerpc/page_64.h 2006-05-01 20:17:34.000000000 -0400
18608 @@ -169,6 +169,15 @@ extern unsigned int HPAGE_SHIFT;
18609 (test_thread_flag(TIF_32BIT) ? \
18610 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
18612 +#ifdef CONFIG_PAX_PAGEEXEC
18613 +#ifdef CONFIG_PAX_MPROTECT
18614 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18615 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18617 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18621 #include <asm-generic/page.h>
18623 #endif /* __KERNEL__ */
18624 diff -urNp linux-2.6.16.12/include/asm-ppc/page.h linux-2.6.16.12/include/asm-ppc/page.h
18625 --- linux-2.6.16.12/include/asm-ppc/page.h 2006-05-01 15:14:26.000000000 -0400
18626 +++ linux-2.6.16.12/include/asm-ppc/page.h 2006-05-01 20:17:34.000000000 -0400
18627 @@ -175,5 +175,14 @@ extern __inline__ int get_order(unsigned
18628 /* We do define AT_SYSINFO_EHDR but don't use the gate mecanism */
18629 #define __HAVE_ARCH_GATE_AREA 1
18631 +#ifdef CONFIG_PAX_PAGEEXEC
18632 +#ifdef CONFIG_PAX_MPROTECT
18633 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18634 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18636 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18640 #endif /* __KERNEL__ */
18641 #endif /* _PPC_PAGE_H */
18642 diff -urNp linux-2.6.16.12/include/asm-ppc/pgtable.h linux-2.6.16.12/include/asm-ppc/pgtable.h
18643 --- linux-2.6.16.12/include/asm-ppc/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18644 +++ linux-2.6.16.12/include/asm-ppc/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18645 @@ -441,11 +441,21 @@ extern unsigned long ioremap_bot, iorema
18647 #define PAGE_NONE __pgprot(_PAGE_BASE)
18648 #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
18649 -#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
18650 +#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
18651 #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
18652 -#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
18653 +#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
18654 #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
18655 -#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
18656 +#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
18658 +#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
18659 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
18660 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
18661 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
18663 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
18664 +# define PAGE_COPY_NOEXEC PAGE_COPY
18665 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
18668 #define PAGE_KERNEL __pgprot(_PAGE_RAM)
18669 #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
18670 @@ -457,21 +467,21 @@ extern unsigned long ioremap_bot, iorema
18671 * This is the closest we can get..
18673 #define __P000 PAGE_NONE
18674 -#define __P001 PAGE_READONLY_X
18675 -#define __P010 PAGE_COPY
18676 -#define __P011 PAGE_COPY_X
18677 -#define __P100 PAGE_READONLY
18678 +#define __P001 PAGE_READONLY_NOEXEC
18679 +#define __P010 PAGE_COPY_NOEXEC
18680 +#define __P011 PAGE_COPY_NOEXEC
18681 +#define __P100 PAGE_READONLY_X
18682 #define __P101 PAGE_READONLY_X
18683 -#define __P110 PAGE_COPY
18684 +#define __P110 PAGE_COPY_X
18685 #define __P111 PAGE_COPY_X
18687 #define __S000 PAGE_NONE
18688 -#define __S001 PAGE_READONLY_X
18689 -#define __S010 PAGE_SHARED
18690 -#define __S011 PAGE_SHARED_X
18691 -#define __S100 PAGE_READONLY
18692 +#define __S001 PAGE_READONLY_NOEXEC
18693 +#define __S010 PAGE_SHARED_NOEXEC
18694 +#define __S011 PAGE_SHARED_NOEXEC
18695 +#define __S100 PAGE_READONLY_X
18696 #define __S101 PAGE_READONLY_X
18697 -#define __S110 PAGE_SHARED
18698 +#define __S110 PAGE_SHARED_X
18699 #define __S111 PAGE_SHARED_X
18701 #ifndef __ASSEMBLY__
18702 diff -urNp linux-2.6.16.12/include/asm-sparc/a.out.h linux-2.6.16.12/include/asm-sparc/a.out.h
18703 --- linux-2.6.16.12/include/asm-sparc/a.out.h 2006-05-01 15:14:26.000000000 -0400
18704 +++ linux-2.6.16.12/include/asm-sparc/a.out.h 2006-05-01 20:17:34.000000000 -0400
18705 @@ -91,7 +91,7 @@ struct relocation_info /* used when head
18707 #include <asm/page.h>
18709 -#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
18710 +#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
18712 #endif /* __KERNEL__ */
18714 diff -urNp linux-2.6.16.12/include/asm-sparc/elf.h linux-2.6.16.12/include/asm-sparc/elf.h
18715 --- linux-2.6.16.12/include/asm-sparc/elf.h 2006-05-01 15:14:26.000000000 -0400
18716 +++ linux-2.6.16.12/include/asm-sparc/elf.h 2006-05-01 20:17:34.000000000 -0400
18717 @@ -145,6 +145,17 @@ typedef struct {
18719 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
18721 +#ifdef CONFIG_PAX_ASLR
18722 +#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000UL
18724 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18725 +#define PAX_DELTA_MMAP_LEN(tsk) 16
18726 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18727 +#define PAX_DELTA_EXEC_LEN(tsk) 16
18728 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18729 +#define PAX_DELTA_STACK_LEN(tsk) 16
18732 /* This yields a mask that user programs can use to figure out what
18733 instruction set this cpu supports. This can NOT be done in userspace
18735 diff -urNp linux-2.6.16.12/include/asm-sparc/page.h linux-2.6.16.12/include/asm-sparc/page.h
18736 --- linux-2.6.16.12/include/asm-sparc/page.h 2006-05-01 15:14:26.000000000 -0400
18737 +++ linux-2.6.16.12/include/asm-sparc/page.h 2006-05-01 20:17:34.000000000 -0400
18738 @@ -164,6 +164,15 @@ extern unsigned long pfn_base;
18739 #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
18740 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18742 +#ifdef CONFIG_PAX_PAGEEXEC
18743 +#ifdef CONFIG_PAX_MPROTECT
18744 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18745 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18747 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18751 #endif /* __KERNEL__ */
18753 #include <asm-generic/page.h>
18754 diff -urNp linux-2.6.16.12/include/asm-sparc/pgtable.h linux-2.6.16.12/include/asm-sparc/pgtable.h
18755 --- linux-2.6.16.12/include/asm-sparc/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18756 +++ linux-2.6.16.12/include/asm-sparc/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18757 @@ -50,6 +50,13 @@ BTFIXUPDEF_INT(page_none)
18758 BTFIXUPDEF_INT(page_shared)
18759 BTFIXUPDEF_INT(page_copy)
18760 BTFIXUPDEF_INT(page_readonly)
18762 +#ifdef CONFIG_PAX_PAGEEXEC
18763 +BTFIXUPDEF_INT(page_shared_noexec)
18764 +BTFIXUPDEF_INT(page_copy_noexec)
18765 +BTFIXUPDEF_INT(page_readonly_noexec)
18768 BTFIXUPDEF_INT(page_kernel)
18770 #define PMD_SHIFT SUN4C_PMD_SHIFT
18771 @@ -71,6 +78,16 @@ BTFIXUPDEF_INT(page_kernel)
18772 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
18773 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
18775 +#ifdef CONFIG_PAX_PAGEEXEC
18776 +# define PAGE_SHARED_NOEXEC __pgprot(BTFIXUP_INT(page_shared_noexec))
18777 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
18778 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
18780 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
18781 +# define PAGE_COPY_NOEXEC PAGE_COPY
18782 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
18785 extern unsigned long page_kernel;
18788 diff -urNp linux-2.6.16.12/include/asm-sparc/pgtsrmmu.h linux-2.6.16.12/include/asm-sparc/pgtsrmmu.h
18789 --- linux-2.6.16.12/include/asm-sparc/pgtsrmmu.h 2006-05-01 15:14:26.000000000 -0400
18790 +++ linux-2.6.16.12/include/asm-sparc/pgtsrmmu.h 2006-05-01 20:17:34.000000000 -0400
18791 @@ -115,6 +115,16 @@
18792 SRMMU_EXEC | SRMMU_REF)
18793 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
18794 SRMMU_EXEC | SRMMU_REF)
18796 +#ifdef CONFIG_PAX_PAGEEXEC
18797 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
18798 + SRMMU_WRITE | SRMMU_REF)
18799 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
18801 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
18805 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
18806 SRMMU_DIRTY | SRMMU_REF)
18808 diff -urNp linux-2.6.16.12/include/asm-sparc/uaccess.h linux-2.6.16.12/include/asm-sparc/uaccess.h
18809 --- linux-2.6.16.12/include/asm-sparc/uaccess.h 2006-05-01 15:14:26.000000000 -0400
18810 +++ linux-2.6.16.12/include/asm-sparc/uaccess.h 2006-05-01 20:17:34.000000000 -0400
18812 * No one can read/write anything from userland in the kernel space by setting
18813 * large size and address near to PAGE_OFFSET - a fault will break his intentions.
18815 -#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
18816 +#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
18817 #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
18818 #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
18819 #define access_ok(type, addr, size) \
18820 diff -urNp linux-2.6.16.12/include/asm-sparc64/a.out.h linux-2.6.16.12/include/asm-sparc64/a.out.h
18821 --- linux-2.6.16.12/include/asm-sparc64/a.out.h 2006-05-01 15:14:26.000000000 -0400
18822 +++ linux-2.6.16.12/include/asm-sparc64/a.out.h 2006-05-01 20:17:34.000000000 -0400
18823 @@ -95,7 +95,7 @@ struct relocation_info /* used when head
18827 -#define STACK_TOP (test_thread_flag(TIF_32BIT) ? 0xf0000000 : 0x80000000000L)
18828 +#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? 0xf0000000 : 0x80000000000L)
18832 diff -urNp linux-2.6.16.12/include/asm-sparc64/elf.h linux-2.6.16.12/include/asm-sparc64/elf.h
18833 --- linux-2.6.16.12/include/asm-sparc64/elf.h 2006-05-01 15:14:26.000000000 -0400
18834 +++ linux-2.6.16.12/include/asm-sparc64/elf.h 2006-05-01 20:17:34.000000000 -0400
18835 @@ -140,6 +140,16 @@ typedef struct {
18836 #define ELF_ET_DYN_BASE 0x0000010000000000UL
18839 +#ifdef CONFIG_PAX_ASLR
18840 +#define PAX_ELF_ET_DYN_BASE(tsk) (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
18842 +#define PAX_DELTA_MMAP_LSB(tsk) (PAGE_SHIFT + 1)
18843 +#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 14 : 28 )
18844 +#define PAX_DELTA_EXEC_LSB(tsk) (PAGE_SHIFT + 1)
18845 +#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 14 : 28 )
18846 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18847 +#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 15 : 29 )
18850 /* This yields a mask that user programs can use to figure out what
18851 instruction set this cpu supports. */
18852 diff -urNp linux-2.6.16.12/include/asm-sparc64/page.h linux-2.6.16.12/include/asm-sparc64/page.h
18853 --- linux-2.6.16.12/include/asm-sparc64/page.h 2006-05-01 15:14:26.000000000 -0400
18854 +++ linux-2.6.16.12/include/asm-sparc64/page.h 2006-05-01 20:17:34.000000000 -0400
18855 @@ -147,6 +147,15 @@ extern unsigned long page_to_pfn(struct
18856 #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
18857 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18859 +#ifdef CONFIG_PAX_PAGEEXEC
18860 +#ifdef CONFIG_PAX_MPROTECT
18861 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18862 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18864 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18868 #endif /* !(__KERNEL__) */
18870 #include <asm-generic/page.h>
18871 diff -urNp linux-2.6.16.12/include/asm-x86_64/a.out.h linux-2.6.16.12/include/asm-x86_64/a.out.h
18872 --- linux-2.6.16.12/include/asm-x86_64/a.out.h 2006-05-01 15:14:26.000000000 -0400
18873 +++ linux-2.6.16.12/include/asm-x86_64/a.out.h 2006-05-01 20:17:34.000000000 -0400
18874 @@ -21,7 +21,7 @@ struct exec
18877 #include <linux/thread_info.h>
18878 -#define STACK_TOP TASK_SIZE
18879 +#define __STACK_TOP TASK_SIZE
18882 #endif /* __A_OUT_GNU_H__ */
18883 diff -urNp linux-2.6.16.12/include/asm-x86_64/elf.h linux-2.6.16.12/include/asm-x86_64/elf.h
18884 --- linux-2.6.16.12/include/asm-x86_64/elf.h 2006-05-01 15:14:26.000000000 -0400
18885 +++ linux-2.6.16.12/include/asm-x86_64/elf.h 2006-05-01 20:17:34.000000000 -0400
18886 @@ -89,6 +89,17 @@ typedef struct user_i387_struct elf_fpre
18888 #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
18890 +#ifdef CONFIG_PAX_ASLR
18891 +#define PAX_ELF_ET_DYN_BASE(tsk) (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
18893 +#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
18894 +#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 32)
18895 +#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
18896 +#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 32)
18897 +#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
18898 +#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 32)
18901 /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
18902 now struct_user_regs, they are different). Assumes current is the process
18904 diff -urNp linux-2.6.16.12/include/asm-x86_64/ia32.h linux-2.6.16.12/include/asm-x86_64/ia32.h
18905 --- linux-2.6.16.12/include/asm-x86_64/ia32.h 2006-05-01 15:14:26.000000000 -0400
18906 +++ linux-2.6.16.12/include/asm-x86_64/ia32.h 2006-05-01 20:17:34.000000000 -0400
18907 @@ -157,7 +157,13 @@ struct ustat32 {
18911 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
18912 +#ifdef CONFIG_PAX_RANDUSTACK
18913 +#define IA32_DELTA_STACK (current->mm->delta_stack)
18915 +#define IA32_DELTA_STACK 0UL
18918 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - IA32_DELTA_STACK)
18922 diff -urNp linux-2.6.16.12/include/asm-x86_64/page.h linux-2.6.16.12/include/asm-x86_64/page.h
18923 --- linux-2.6.16.12/include/asm-x86_64/page.h 2006-05-01 15:14:26.000000000 -0400
18924 +++ linux-2.6.16.12/include/asm-x86_64/page.h 2006-05-01 20:17:34.000000000 -0400
18925 @@ -138,6 +138,15 @@ typedef struct { unsigned long pgprot; }
18926 (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
18927 VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
18929 +#ifdef CONFIG_PAX_PAGEEXEC
18930 +#ifdef CONFIG_PAX_MPROTECT
18931 +#define __VM_STACK_FLAGS (((current->mm->pax_flags & MF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
18932 + ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18934 +#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->mm->pax_flags & MF_PAX_PAGEEXEC)?0:VM_EXEC))
18938 #define __HAVE_ARCH_GATE_AREA 1
18940 #endif /* __KERNEL__ */
18941 diff -urNp linux-2.6.16.12/include/asm-x86_64/pgalloc.h linux-2.6.16.12/include/asm-x86_64/pgalloc.h
18942 --- linux-2.6.16.12/include/asm-x86_64/pgalloc.h 2006-05-01 15:14:26.000000000 -0400
18943 +++ linux-2.6.16.12/include/asm-x86_64/pgalloc.h 2006-05-01 20:17:34.000000000 -0400
18945 #include <linux/mm.h>
18947 #define pmd_populate_kernel(mm, pmd, pte) \
18948 - set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
18949 + set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
18950 #define pud_populate(mm, pud, pmd) \
18951 set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
18952 #define pgd_populate(mm, pgd, pud) \
18953 diff -urNp linux-2.6.16.12/include/asm-x86_64/pgtable.h linux-2.6.16.12/include/asm-x86_64/pgtable.h
18954 --- linux-2.6.16.12/include/asm-x86_64/pgtable.h 2006-05-01 15:14:26.000000000 -0400
18955 +++ linux-2.6.16.12/include/asm-x86_64/pgtable.h 2006-05-01 20:17:34.000000000 -0400
18956 @@ -180,6 +180,10 @@ static inline pte_t ptep_get_and_clear_f
18957 #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
18958 #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
18959 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
18961 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
18962 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
18964 #define __PAGE_KERNEL \
18965 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
18966 #define __PAGE_KERNEL_EXEC \
18967 @@ -268,7 +272,13 @@ static inline pte_t pfn_pte(unsigned lon
18968 #define __LARGE_PTE (_PAGE_PSE|_PAGE_PRESENT)
18969 static inline int pte_user(pte_t pte) { return pte_val(pte) & _PAGE_USER; }
18970 static inline int pte_read(pte_t pte) { return pte_val(pte) & _PAGE_USER; }
18971 -static inline int pte_exec(pte_t pte) { return pte_val(pte) & _PAGE_USER; }
18972 +extern inline int pte_exec(pte_t pte)
18974 + if (__supported_pte_mask & _PAGE_NX)
18975 + return pte_val(pte) & _PAGE_NX;
18977 + return pte_val(pte) & _PAGE_USER;
18979 static inline int pte_dirty(pte_t pte) { return pte_val(pte) & _PAGE_DIRTY; }
18980 static inline int pte_young(pte_t pte) { return pte_val(pte) & _PAGE_ACCESSED; }
18981 static inline int pte_write(pte_t pte) { return pte_val(pte) & _PAGE_RW; }
18982 @@ -276,12 +286,26 @@ static inline int pte_file(pte_t pte) {
18983 static inline int pte_huge(pte_t pte) { return (pte_val(pte) & __LARGE_PTE) == __LARGE_PTE; }
18985 static inline pte_t pte_rdprotect(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER)); return pte; }
18986 -static inline pte_t pte_exprotect(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER)); return pte; }
18987 +extern inline pte_t pte_exprotect(pte_t pte)
18989 + if (__supported_pte_mask & _PAGE_NX)
18990 + set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
18992 + set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
18995 static inline pte_t pte_mkclean(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_DIRTY)); return pte; }
18996 static inline pte_t pte_mkold(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_ACCESSED)); return pte; }
18997 static inline pte_t pte_wrprotect(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_RW)); return pte; }
18998 static inline pte_t pte_mkread(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER)); return pte; }
18999 -static inline pte_t pte_mkexec(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER)); return pte; }
19000 +extern inline pte_t pte_mkexec(pte_t pte)
19002 + if (__supported_pte_mask & _PAGE_NX)
19003 + set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
19005 + set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
19008 static inline pte_t pte_mkdirty(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) | _PAGE_DIRTY)); return pte; }
19009 static inline pte_t pte_mkyoung(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) | _PAGE_ACCESSED)); return pte; }
19010 static inline pte_t pte_mkwrite(pte_t pte) { set_pte(&pte, __pte(pte_val(pte) | _PAGE_RW)); return pte; }
19011 diff -urNp linux-2.6.16.12/include/asm-x86_64/system.h linux-2.6.16.12/include/asm-x86_64/system.h
19012 --- linux-2.6.16.12/include/asm-x86_64/system.h 2006-05-01 15:14:26.000000000 -0400
19013 +++ linux-2.6.16.12/include/asm-x86_64/system.h 2006-05-01 20:17:34.000000000 -0400
19014 @@ -372,6 +372,6 @@ static inline unsigned long __cmpxchg(vo
19016 void cpu_idle_wait(void);
19018 -extern unsigned long arch_align_stack(unsigned long sp);
19019 +#define arch_align_stack(x) (x)
19022 diff -urNp linux-2.6.16.12/include/linux/a.out.h linux-2.6.16.12/include/linux/a.out.h
19023 --- linux-2.6.16.12/include/linux/a.out.h 2006-05-01 15:14:26.000000000 -0400
19024 +++ linux-2.6.16.12/include/linux/a.out.h 2006-05-01 20:17:34.000000000 -0400
19027 #include <asm/a.out.h>
19029 +#ifdef CONFIG_PAX_RANDUSTACK
19030 +#define __DELTA_STACK (current->mm->delta_stack)
19032 +#define __DELTA_STACK 0UL
19036 +#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
19039 #endif /* __STRUCT_EXEC_OVERRIDE__ */
19041 /* these go in the N_MACHTYPE field */
19042 @@ -37,6 +47,14 @@ enum machine_type {
19043 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
19046 +/* Constants for the N_FLAGS field */
19047 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
19048 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
19049 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
19050 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
19051 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
19052 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
19054 #if !defined (N_MAGIC)
19055 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
19057 diff -urNp linux-2.6.16.12/include/linux/binfmts.h linux-2.6.16.12/include/linux/binfmts.h
19058 --- linux-2.6.16.12/include/linux/binfmts.h 2006-05-01 15:14:26.000000000 -0400
19059 +++ linux-2.6.16.12/include/linux/binfmts.h 2006-05-01 20:17:34.000000000 -0400
19060 @@ -7,10 +7,10 @@ struct pt_regs;
19063 * MAX_ARG_PAGES defines the number of pages allocated for arguments
19064 - * and envelope for the new program. 32 should suffice, this gives
19065 - * a maximum env+arg of 128kB w/4KB pages!
19066 + * and envelope for the new program. 33 should suffice, this gives
19067 + * a maximum env+arg of 132kB w/4KB pages!
19069 -#define MAX_ARG_PAGES 32
19070 +#define MAX_ARG_PAGES 33
19072 /* sizeof(linux_binprm->buf) */
19073 #define BINPRM_BUF_SIZE 128
19074 @@ -38,6 +38,7 @@ struct linux_binprm{
19075 unsigned interp_flags;
19076 unsigned interp_data;
19077 unsigned long loader, exec;
19081 #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
19082 @@ -87,5 +88,8 @@ extern void compute_creds(struct linux_b
19083 extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
19084 extern int set_binfmt(struct linux_binfmt *new);
19086 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
19087 +void pax_report_insns(void *pc, void *sp);
19089 #endif /* __KERNEL__ */
19090 #endif /* _LINUX_BINFMTS_H */
19091 diff -urNp linux-2.6.16.12/include/linux/capability.h linux-2.6.16.12/include/linux/capability.h
19092 --- linux-2.6.16.12/include/linux/capability.h 2006-05-01 15:14:26.000000000 -0400
19093 +++ linux-2.6.16.12/include/linux/capability.h 2006-05-01 20:17:34.000000000 -0400
19094 @@ -364,6 +364,7 @@ static inline kernel_cap_t cap_invert(ke
19095 #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
19097 extern int capable(int cap);
19098 +extern int capable_nolog(int cap);
19100 #endif /* __KERNEL__ */
19102 diff -urNp linux-2.6.16.12/include/linux/elf.h linux-2.6.16.12/include/linux/elf.h
19103 --- linux-2.6.16.12/include/linux/elf.h 2006-05-01 15:14:26.000000000 -0400
19104 +++ linux-2.6.16.12/include/linux/elf.h 2006-05-01 20:17:34.000000000 -0400
19106 #include <linux/auxvec.h>
19107 #include <asm/elf.h>
19109 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19110 +#undef elf_read_implies_exec
19113 #ifndef elf_read_implies_exec
19114 /* Executables for which elf_read_implies_exec() returns TRUE will
19115 have the READ_IMPLIES_EXEC personality flag set automatically.
19116 @@ -46,6 +50,16 @@ typedef __s64 Elf64_Sxword;
19118 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
19120 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
19122 +/* Constants for the e_flags field */
19123 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
19124 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
19125 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
19126 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
19127 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
19128 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
19130 /* These constants define the different elf file types */
19133 @@ -138,6 +152,8 @@ typedef __s64 Elf64_Sxword;
19134 #define DT_DEBUG 21
19135 #define DT_TEXTREL 22
19136 #define DT_JMPREL 23
19137 +#define DT_FLAGS 30
19138 + #define DF_TEXTREL 0x00000004
19139 #define DT_LOPROC 0x70000000
19140 #define DT_HIPROC 0x7fffffff
19142 @@ -267,6 +283,19 @@ typedef struct elf64_hdr {
19146 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
19147 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
19148 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
19149 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
19150 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
19151 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
19152 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
19153 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
19154 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
19155 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
19156 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
19157 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
19159 typedef struct elf32_phdr{
19161 Elf32_Off p_offset;
19162 @@ -359,6 +388,8 @@ typedef struct elf64_shdr {
19168 #define ELFMAG0 0x7f /* EI_MAG */
19169 #define ELFMAG1 'E'
19170 #define ELFMAG2 'L'
19171 @@ -415,6 +446,7 @@ extern Elf32_Dyn _DYNAMIC [];
19172 #define elfhdr elf32_hdr
19173 #define elf_phdr elf32_phdr
19174 #define elf_note elf32_note
19175 +#define elf_dyn Elf32_Dyn
19179 @@ -422,6 +454,7 @@ extern Elf64_Dyn _DYNAMIC [];
19180 #define elfhdr elf64_hdr
19181 #define elf_phdr elf64_phdr
19182 #define elf_note elf64_note
19183 +#define elf_dyn Elf64_Dyn
19187 diff -urNp linux-2.6.16.12/include/linux/gracl.h linux-2.6.16.12/include/linux/gracl.h
19188 --- linux-2.6.16.12/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
19189 +++ linux-2.6.16.12/include/linux/gracl.h 2006-05-01 20:17:34.000000000 -0400
19194 +#include <linux/grdefs.h>
19195 +#include <linux/resource.h>
19196 +#include <linux/dcache.h>
19197 +#include <asm/resource.h>
19199 +/* Major status information */
19201 +#define GR_VERSION "grsecurity 2.1.9"
19202 +#define GRSECURITY_VERSION 0x219
19217 +/* Password setup definitions
19218 + * kernel/grhash.c */
19221 + GR_SALT_LEN = 16,
19226 + GR_SPROLE_LEN = 64,
19229 +#define GR_NLIMITS (RLIMIT_LOCKS + 2)
19231 +/* Begin Data Structures */
19233 +struct sprole_pw {
19234 + unsigned char *rolename;
19235 + unsigned char salt[GR_SALT_LEN];
19236 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
19239 +struct name_entry {
19245 + struct name_entry *prev;
19246 + struct name_entry *next;
19249 +struct inodev_entry {
19250 + struct name_entry *nentry;
19251 + struct inodev_entry *prev;
19252 + struct inodev_entry *next;
19255 +struct acl_role_db {
19256 + struct acl_role_label **r_hash;
19260 +struct inodev_db {
19261 + struct inodev_entry **i_hash;
19266 + struct name_entry **n_hash;
19270 +struct crash_uid {
19272 + unsigned long expires;
19275 +struct gr_hash_struct {
19277 + void **nametable;
19279 + __u32 table_size;
19284 +/* Userspace Grsecurity ACL data structures */
19286 +struct acl_subject_label {
19294 + struct rlimit res[GR_NLIMITS];
19297 + __u8 user_trans_type;
19298 + __u8 group_trans_type;
19299 + uid_t *user_transitions;
19300 + gid_t *group_transitions;
19301 + __u16 user_trans_num;
19302 + __u16 group_trans_num;
19304 + __u32 ip_proto[8];
19306 + struct acl_ip_label **ips;
19310 + unsigned long expires;
19312 + struct acl_subject_label *parent_subject;
19313 + struct gr_hash_struct *hash;
19314 + struct acl_subject_label *prev;
19315 + struct acl_subject_label *next;
19317 + struct acl_object_label **obj_hash;
19318 + __u32 obj_hash_size;
19322 +struct role_allowed_ip {
19326 + struct role_allowed_ip *prev;
19327 + struct role_allowed_ip *next;
19330 +struct role_transition {
19333 + struct role_transition *prev;
19334 + struct role_transition *next;
19337 +struct acl_role_label {
19342 + __u16 auth_attempts;
19343 + unsigned long expires;
19345 + struct acl_subject_label *root_label;
19346 + struct gr_hash_struct *hash;
19348 + struct acl_role_label *prev;
19349 + struct acl_role_label *next;
19351 + struct role_transition *transitions;
19352 + struct role_allowed_ip *allowed_ips;
19353 + uid_t *domain_children;
19354 + __u16 domain_child_num;
19356 + struct acl_subject_label **subj_hash;
19357 + __u32 subj_hash_size;
19360 +struct user_acl_role_db {
19361 + struct acl_role_label **r_table;
19362 + __u32 num_pointers; /* Number of allocations to track */
19363 + __u32 num_roles; /* Number of roles */
19364 + __u32 num_domain_children; /* Number of domain children */
19365 + __u32 num_subjects; /* Number of subjects */
19366 + __u32 num_objects; /* Number of objects */
19369 +struct acl_object_label {
19375 + struct acl_subject_label *nested;
19376 + struct acl_object_label *globbed;
19378 + /* next two structures not used */
19380 + struct acl_object_label *prev;
19381 + struct acl_object_label *next;
19384 +struct acl_ip_label {
19393 + /* next two structures not used */
19395 + struct acl_ip_label *prev;
19396 + struct acl_ip_label *next;
19400 + struct user_acl_role_db role_db;
19401 + unsigned char pw[GR_PW_LEN];
19402 + unsigned char salt[GR_SALT_LEN];
19403 + unsigned char sum[GR_SHA_LEN];
19404 + unsigned char sp_role[GR_SPROLE_LEN];
19405 + struct sprole_pw *sprole_pws;
19406 + dev_t segv_device;
19407 + ino_t segv_inode;
19409 + __u16 num_sprole_pws;
19413 +struct gr_arg_wrapper {
19414 + struct gr_arg *arg;
19419 +struct subject_map {
19420 + struct acl_subject_label *user;
19421 + struct acl_subject_label *kernel;
19422 + struct subject_map *prev;
19423 + struct subject_map *next;
19426 +struct acl_subj_map_db {
19427 + struct subject_map **s_hash;
19431 +/* End Data Structures Section */
19433 +/* Hash functions generated by empirical testing by Brad Spengler
19434 + Makes good use of the low bits of the inode. Generally 0-1 times
19435 + in loop for successful match. 0-3 for unsuccessful match.
19436 + Shift/add algorithm with modulus of table size and an XOR*/
19438 +static __inline__ unsigned int
19439 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
19441 + return (((uid << type) + (uid ^ type)) % sz);
19444 + static __inline__ unsigned int
19445 +shash(const struct acl_subject_label *userp, const unsigned int sz)
19447 + return ((const unsigned long)userp % sz);
19450 +static __inline__ unsigned int
19451 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
19453 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
19456 +static __inline__ unsigned int
19457 +nhash(const char *name, const __u16 len, const unsigned int sz)
19459 + return full_name_hash(name, len) % sz;
19462 +#define FOR_EACH_ROLE_START(role,iter) \
19465 + while (iter < acl_role_set.r_size) { \
19466 + if (role == NULL) \
19467 + role = acl_role_set.r_hash[iter]; \
19468 + if (role == NULL) { \
19473 +#define FOR_EACH_ROLE_END(role,iter) \
19474 + role = role->next; \
19475 + if (role == NULL) \
19479 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
19482 + while (iter < role->subj_hash_size) { \
19483 + if (subj == NULL) \
19484 + subj = role->subj_hash[iter]; \
19485 + if (subj == NULL) { \
19490 +#define FOR_EACH_SUBJECT_END(subj,iter) \
19491 + subj = subj->next; \
19492 + if (subj == NULL) \
19497 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
19498 + subj = role->hash->first; \
19499 + while (subj != NULL) {
19501 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
19502 + subj = subj->next; \
19507 diff -urNp linux-2.6.16.12/include/linux/gralloc.h linux-2.6.16.12/include/linux/gralloc.h
19508 --- linux-2.6.16.12/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
19509 +++ linux-2.6.16.12/include/linux/gralloc.h 2006-05-01 20:17:34.000000000 -0400
19511 +#ifndef __GRALLOC_H
19512 +#define __GRALLOC_H
19514 +void acl_free_all(void);
19515 +int acl_alloc_stack_init(unsigned long size);
19516 +void *acl_alloc(unsigned long len);
19519 diff -urNp linux-2.6.16.12/include/linux/grdefs.h linux-2.6.16.12/include/linux/grdefs.h
19520 --- linux-2.6.16.12/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
19521 +++ linux-2.6.16.12/include/linux/grdefs.h 2006-05-01 20:17:34.000000000 -0400
19526 +/* Begin grsecurity status declarations */
19530 + GR_STATUS_INIT = 0x00 // disabled state
19533 +/* Begin ACL declarations */
19538 + GR_ROLE_USER = 0x0001,
19539 + GR_ROLE_GROUP = 0x0002,
19540 + GR_ROLE_DEFAULT = 0x0004,
19541 + GR_ROLE_SPECIAL = 0x0008,
19542 + GR_ROLE_AUTH = 0x0010,
19543 + GR_ROLE_NOPW = 0x0020,
19544 + GR_ROLE_GOD = 0x0040,
19545 + GR_ROLE_LEARN = 0x0080,
19546 + GR_ROLE_TPE = 0x0100,
19547 + GR_ROLE_DOMAIN = 0x0200,
19548 + GR_ROLE_PAM = 0x0400
19551 +/* ACL Subject and Object mode flags */
19553 + GR_DELETED = 0x80000000
19556 +/* ACL Object-only mode flags */
19558 + GR_READ = 0x00000001,
19559 + GR_APPEND = 0x00000002,
19560 + GR_WRITE = 0x00000004,
19561 + GR_EXEC = 0x00000008,
19562 + GR_FIND = 0x00000010,
19563 + GR_INHERIT = 0x00000020,
19564 + GR_SETID = 0x00000040,
19565 + GR_CREATE = 0x00000080,
19566 + GR_DELETE = 0x00000100,
19567 + GR_LINK = 0x00000200,
19568 + GR_AUDIT_READ = 0x00000400,
19569 + GR_AUDIT_APPEND = 0x00000800,
19570 + GR_AUDIT_WRITE = 0x00001000,
19571 + GR_AUDIT_EXEC = 0x00002000,
19572 + GR_AUDIT_FIND = 0x00004000,
19573 + GR_AUDIT_INHERIT= 0x00008000,
19574 + GR_AUDIT_SETID = 0x00010000,
19575 + GR_AUDIT_CREATE = 0x00020000,
19576 + GR_AUDIT_DELETE = 0x00040000,
19577 + GR_AUDIT_LINK = 0x00080000,
19578 + GR_PTRACERD = 0x00100000,
19579 + GR_NOPTRACE = 0x00200000,
19580 + GR_SUPPRESS = 0x00400000,
19581 + GR_NOLEARN = 0x00800000
19584 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
19585 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
19586 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
19588 +/* ACL subject-only mode flags */
19590 + GR_KILL = 0x00000001,
19591 + GR_VIEW = 0x00000002,
19592 + GR_PROTECTED = 0x00000004,
19593 + GR_LEARN = 0x00000008,
19594 + GR_OVERRIDE = 0x00000010,
19595 + /* just a placeholder, this mode is only used in userspace */
19596 + GR_DUMMY = 0x00000020,
19597 + GR_PROTSHM = 0x00000040,
19598 + GR_KILLPROC = 0x00000080,
19599 + GR_KILLIPPROC = 0x00000100,
19600 + /* just a placeholder, this mode is only used in userspace */
19601 + GR_NOTROJAN = 0x00000200,
19602 + GR_PROTPROCFD = 0x00000400,
19603 + GR_PROCACCT = 0x00000800,
19604 + GR_RELAXPTRACE = 0x00001000,
19605 + GR_NESTED = 0x00002000,
19606 + GR_INHERITLEARN = 0x00004000,
19607 + GR_PROCFIND = 0x00008000,
19608 + GR_POVERRIDE = 0x00010000,
19609 + GR_KERNELAUTH = 0x00020000,
19613 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
19614 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
19615 + GR_PAX_ENABLE_MPROTECT = 0x0004,
19616 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
19617 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
19618 + GR_PAX_DISABLE_SEGMEXEC = 0x8001,
19619 + GR_PAX_DISABLE_PAGEEXEC = 0x8002,
19620 + GR_PAX_DISABLE_MPROTECT = 0x8004,
19621 + GR_PAX_DISABLE_RANDMMAP = 0x8008,
19622 + GR_PAX_DISABLE_EMUTRAMP = 0x8010,
19626 + GR_ID_USER = 0x01,
19627 + GR_ID_GROUP = 0x02,
19631 + GR_ID_ALLOW = 0x01,
19632 + GR_ID_DENY = 0x02,
19635 +#define GR_CRASH_RES 11
19636 +#define GR_UIDTABLE_MAX 500
19638 +/* begin resource learning section */
19640 + GR_RLIM_CPU_BUMP = 60,
19641 + GR_RLIM_FSIZE_BUMP = 50000,
19642 + GR_RLIM_DATA_BUMP = 10000,
19643 + GR_RLIM_STACK_BUMP = 1000,
19644 + GR_RLIM_CORE_BUMP = 10000,
19645 + GR_RLIM_RSS_BUMP = 500000,
19646 + GR_RLIM_NPROC_BUMP = 1,
19647 + GR_RLIM_NOFILE_BUMP = 5,
19648 + GR_RLIM_MEMLOCK_BUMP = 50000,
19649 + GR_RLIM_AS_BUMP = 500000,
19650 + GR_RLIM_LOCKS_BUMP = 2
19654 diff -urNp linux-2.6.16.12/include/linux/grinternal.h linux-2.6.16.12/include/linux/grinternal.h
19655 --- linux-2.6.16.12/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
19656 +++ linux-2.6.16.12/include/linux/grinternal.h 2006-05-01 20:17:34.000000000 -0400
19658 +#ifndef __GRINTERNAL_H
19659 +#define __GRINTERNAL_H
19661 +#ifdef CONFIG_GRKERNSEC
19663 +#include <linux/fs.h>
19664 +#include <linux/gracl.h>
19665 +#include <linux/grdefs.h>
19666 +#include <linux/grmsg.h>
19668 +extern void gr_add_learn_entry(const char *fmt, ...);
19669 +extern __u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
19670 + const struct vfsmount *mnt);
19671 +extern __u32 gr_check_create(const struct dentry *new_dentry,
19672 + const struct dentry *parent,
19673 + const struct vfsmount *mnt, const __u32 mode);
19674 +extern int gr_check_protected_task(const struct task_struct *task);
19675 +extern __u32 to_gr_audit(const __u32 reqmode);
19676 +extern int gr_set_acls(const int type);
19678 +extern int gr_acl_is_enabled(void);
19679 +extern char gr_roletype_to_char(void);
19681 +extern void gr_handle_alertkill(struct task_struct *task);
19682 +extern char *gr_to_filename(const struct dentry *dentry,
19683 + const struct vfsmount *mnt);
19684 +extern char *gr_to_filename1(const struct dentry *dentry,
19685 + const struct vfsmount *mnt);
19686 +extern char *gr_to_filename2(const struct dentry *dentry,
19687 + const struct vfsmount *mnt);
19688 +extern char *gr_to_filename3(const struct dentry *dentry,
19689 + const struct vfsmount *mnt);
19691 +extern int grsec_enable_link;
19692 +extern int grsec_enable_fifo;
19693 +extern int grsec_enable_execve;
19694 +extern int grsec_enable_shm;
19695 +extern int grsec_enable_execlog;
19696 +extern int grsec_enable_signal;
19697 +extern int grsec_enable_forkfail;
19698 +extern int grsec_enable_time;
19699 +extern int grsec_enable_chroot_shmat;
19700 +extern int grsec_enable_chroot_findtask;
19701 +extern int grsec_enable_chroot_mount;
19702 +extern int grsec_enable_chroot_double;
19703 +extern int grsec_enable_chroot_pivot;
19704 +extern int grsec_enable_chroot_chdir;
19705 +extern int grsec_enable_chroot_chmod;
19706 +extern int grsec_enable_chroot_mknod;
19707 +extern int grsec_enable_chroot_fchdir;
19708 +extern int grsec_enable_chroot_nice;
19709 +extern int grsec_enable_chroot_execlog;
19710 +extern int grsec_enable_chroot_caps;
19711 +extern int grsec_enable_chroot_sysctl;
19712 +extern int grsec_enable_chroot_unix;
19713 +extern int grsec_enable_tpe;
19714 +extern int grsec_tpe_gid;
19715 +extern int grsec_enable_tpe_all;
19716 +extern int grsec_enable_sidcaps;
19717 +extern int grsec_enable_randpid;
19718 +extern int grsec_enable_socket_all;
19719 +extern int grsec_socket_all_gid;
19720 +extern int grsec_enable_socket_client;
19721 +extern int grsec_socket_client_gid;
19722 +extern int grsec_enable_socket_server;
19723 +extern int grsec_socket_server_gid;
19724 +extern int grsec_audit_gid;
19725 +extern int grsec_enable_group;
19726 +extern int grsec_enable_audit_ipc;
19727 +extern int grsec_enable_audit_textrel;
19728 +extern int grsec_enable_mount;
19729 +extern int grsec_enable_chdir;
19730 +extern int grsec_lock;
19732 +extern struct task_struct *child_reaper;
19734 +extern spinlock_t grsec_alert_lock;
19735 +extern unsigned long grsec_alert_wtime;
19736 +extern unsigned long grsec_alert_fyet;
19738 +extern spinlock_t grsec_audit_lock;
19740 +extern rwlock_t grsec_exec_file_lock;
19742 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
19743 + gr_to_filename2(tsk->exec_file->f_dentry, \
19744 + tsk->exec_file->f_vfsmnt) : "/")
19746 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
19747 + gr_to_filename3(tsk->parent->exec_file->f_dentry, \
19748 + tsk->parent->exec_file->f_vfsmnt) : "/")
19750 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
19751 + gr_to_filename(tsk->exec_file->f_dentry, \
19752 + tsk->exec_file->f_vfsmnt) : "/")
19754 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
19755 + gr_to_filename1(tsk->parent->exec_file->f_dentry, \
19756 + tsk->parent->exec_file->f_vfsmnt) : "/")
19758 +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
19759 + ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
19760 + child_reaper->fs->root->d_inode->i_sb->s_dev) || \
19761 + (tsk_a->fs->root->d_inode->i_ino != \
19762 + child_reaper->fs->root->d_inode->i_ino)))
19764 +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
19765 + (tsk_a->fs->root->d_inode->i_sb->s_dev == \
19766 + tsk_b->fs->root->d_inode->i_sb->s_dev) && \
19767 + (tsk_a->fs->root->d_inode->i_ino == \
19768 + tsk_b->fs->root->d_inode->i_ino))
19770 +#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
19771 + task->pid, task->uid, \
19772 + task->euid, task->gid, task->egid, \
19773 + gr_parent_task_fullpath(task), \
19774 + task->parent->comm, task->parent->pid, \
19775 + task->parent->uid, task->parent->euid, \
19776 + task->parent->gid, task->parent->egid
19778 +#define GR_CHROOT_CAPS ( \
19779 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
19780 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
19781 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
19782 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
19783 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
19784 + CAP_TO_MASK(CAP_IPC_OWNER))
19786 +#define security_learn(normal_msg,args...) \
19788 + read_lock(&grsec_exec_file_lock); \
19789 + gr_add_learn_entry(normal_msg "\n", ## args); \
19790 + read_unlock(&grsec_exec_file_lock); \
19796 + GR_DONT_AUDIT_GOOD
19809 + GR_ONE_INT_TWO_STR,
19814 + GR_FIVE_INT_TWO_STR,
19820 + GR_FILENAME_TWO_INT,
19821 + GR_FILENAME_TWO_INT_STR,
19832 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
19833 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
19834 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
19835 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
19836 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
19837 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
19838 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
19839 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
19840 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
19841 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
19842 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
19843 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
19844 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
19845 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
19846 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
19847 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
19848 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
19849 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
19850 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
19851 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
19852 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
19853 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
19854 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
19855 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
19856 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
19857 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
19858 +#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
19859 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
19860 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
19861 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
19863 +extern void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
19868 diff -urNp linux-2.6.16.12/include/linux/grmsg.h linux-2.6.16.12/include/linux/grmsg.h
19869 --- linux-2.6.16.12/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
19870 +++ linux-2.6.16.12/include/linux/grmsg.h 2006-05-01 20:17:34.000000000 -0400
19872 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
19873 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
19874 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
19875 +#define GR_STOPMOD_MSG "denied modification of module state by "
19876 +#define GR_IOPERM_MSG "denied use of ioperm() by "
19877 +#define GR_IOPL_MSG "denied use of iopl() by "
19878 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
19879 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
19880 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
19881 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
19882 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
19883 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
19884 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
19885 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
19886 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
19887 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
19888 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
19889 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
19890 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
19891 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
19892 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
19893 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
19894 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
19895 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
19896 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
19897 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
19898 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
19899 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
19900 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
19901 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
19902 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
19903 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
19904 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
19905 +#define GR_NPROC_MSG "denied overstep of process limit by "
19906 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
19907 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
19908 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
19909 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
19910 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
19911 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
19912 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
19913 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
19914 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
19915 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
19916 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
19917 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
19918 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
19919 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
19920 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
19921 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
19922 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
19923 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
19924 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
19925 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
19926 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
19927 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
19928 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
19929 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
19930 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
19931 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
19932 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
19933 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
19934 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
19935 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
19936 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
19937 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
19938 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
19939 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
19940 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
19941 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
19942 +#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
19943 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
19944 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
19945 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
19946 +#define GR_NICE_CHROOT_MSG "denied priority change by "
19947 +#define GR_UNISIGLOG_MSG "signal %d sent to "
19948 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
19949 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
19950 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
19951 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
19952 +#define GR_TIME_MSG "time set by "
19953 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
19954 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
19955 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
19956 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
19957 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
19958 +#define GR_BIND_MSG "denied bind() by "
19959 +#define GR_CONNECT_MSG "denied connect() by "
19960 +#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
19961 +#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
19962 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
19963 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
19964 +#define GR_CAP_ACL_MSG "use of %s denied for "
19965 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
19966 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
19967 +#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
19968 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
19969 +#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
19970 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
19971 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
19972 +#define GR_MSGQ_AUDIT_MSG "message queue created by "
19973 +#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
19974 +#define GR_SEM_AUDIT_MSG "semaphore created by "
19975 +#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
19976 +#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
19977 +#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
19978 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
19979 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
19980 diff -urNp linux-2.6.16.12/include/linux/grsecurity.h linux-2.6.16.12/include/linux/grsecurity.h
19981 --- linux-2.6.16.12/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
19982 +++ linux-2.6.16.12/include/linux/grsecurity.h 2006-05-01 20:17:34.000000000 -0400
19984 +#ifndef GR_SECURITY_H
19985 +#define GR_SECURITY_H
19986 +#include <linux/fs.h>
19987 +#include <linux/binfmts.h>
19988 +#include <linux/gracl.h>
19990 +extern void gr_handle_brute_attach(struct task_struct *p);
19991 +extern void gr_handle_brute_check(void);
19993 +extern char gr_roletype_to_char(void);
19995 +extern int gr_check_user_change(int real, int effective, int fs);
19996 +extern int gr_check_group_change(int real, int effective, int fs);
19998 +extern void gr_del_task_from_ip_table(struct task_struct *p);
20000 +extern int gr_pid_is_chrooted(struct task_struct *p);
20001 +extern int gr_handle_chroot_nice(void);
20002 +extern int gr_handle_chroot_sysctl(const int op);
20003 +extern int gr_handle_chroot_setpriority(struct task_struct *p,
20004 + const int niceval);
20005 +extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
20006 +extern int gr_handle_chroot_chroot(const struct dentry *dentry,
20007 + const struct vfsmount *mnt);
20008 +extern void gr_handle_chroot_caps(struct task_struct *task);
20009 +extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
20010 +extern int gr_handle_chroot_chmod(const struct dentry *dentry,
20011 + const struct vfsmount *mnt, const int mode);
20012 +extern int gr_handle_chroot_mknod(const struct dentry *dentry,
20013 + const struct vfsmount *mnt, const int mode);
20014 +extern int gr_handle_chroot_mount(const struct dentry *dentry,
20015 + const struct vfsmount *mnt,
20016 + const char *dev_name);
20017 +extern int gr_handle_chroot_pivot(void);
20018 +extern int gr_handle_chroot_unix(const pid_t pid);
20020 +extern int gr_handle_rawio(const struct inode *inode);
20021 +extern int gr_handle_nproc(void);
20023 +extern void gr_handle_ioperm(void);
20024 +extern void gr_handle_iopl(void);
20026 +extern int gr_tpe_allow(const struct file *file);
20028 +extern int gr_random_pid(void);
20030 +extern void gr_log_forkfail(const int retval);
20031 +extern void gr_log_timechange(void);
20032 +extern void gr_log_signal(const int sig, const struct task_struct *t);
20033 +extern void gr_log_chdir(const struct dentry *dentry,
20034 + const struct vfsmount *mnt);
20035 +extern void gr_log_chroot_exec(const struct dentry *dentry,
20036 + const struct vfsmount *mnt);
20037 +extern void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
20038 +extern void gr_log_remount(const char *devname, const int retval);
20039 +extern void gr_log_unmount(const char *devname, const int retval);
20040 +extern void gr_log_mount(const char *from, const char *to, const int retval);
20041 +extern void gr_log_msgget(const int ret, const int msgflg);
20042 +extern void gr_log_msgrm(const uid_t uid, const uid_t cuid);
20043 +extern void gr_log_semget(const int err, const int semflg);
20044 +extern void gr_log_semrm(const uid_t uid, const uid_t cuid);
20045 +extern void gr_log_shmget(const int err, const int shmflg, const size_t size);
20046 +extern void gr_log_shmrm(const uid_t uid, const uid_t cuid);
20047 +extern void gr_log_textrel(struct vm_area_struct *vma);
20049 +extern int gr_handle_follow_link(const struct inode *parent,
20050 + const struct inode *inode,
20051 + const struct dentry *dentry,
20052 + const struct vfsmount *mnt);
20053 +extern int gr_handle_fifo(const struct dentry *dentry,
20054 + const struct vfsmount *mnt,
20055 + const struct dentry *dir, const int flag,
20056 + const int acc_mode);
20057 +extern int gr_handle_hardlink(const struct dentry *dentry,
20058 + const struct vfsmount *mnt,
20059 + struct inode *inode,
20060 + const int mode, const char *to);
20062 +extern int gr_task_is_capable(struct task_struct *task, const int cap);
20063 +extern int gr_is_capable_nolog(const int cap);
20064 +extern void gr_learn_resource(const struct task_struct *task, const int limit,
20065 + const unsigned long wanted, const int gt);
20066 +extern void gr_copy_label(struct task_struct *tsk);
20067 +extern void gr_handle_crash(struct task_struct *task, const int sig);
20068 +extern int gr_handle_signal(const struct task_struct *p, const int sig);
20069 +extern int gr_check_crash_uid(const uid_t uid);
20070 +extern int gr_check_protected_task(const struct task_struct *task);
20071 +extern int gr_acl_handle_mmap(const struct file *file,
20072 + const unsigned long prot);
20073 +extern int gr_acl_handle_mprotect(const struct file *file,
20074 + const unsigned long prot);
20075 +extern int gr_check_hidden_task(const struct task_struct *tsk);
20076 +extern __u32 gr_acl_handle_truncate(const struct dentry *dentry,
20077 + const struct vfsmount *mnt);
20078 +extern __u32 gr_acl_handle_utime(const struct dentry *dentry,
20079 + const struct vfsmount *mnt);
20080 +extern __u32 gr_acl_handle_access(const struct dentry *dentry,
20081 + const struct vfsmount *mnt, const int fmode);
20082 +extern __u32 gr_acl_handle_fchmod(const struct dentry *dentry,
20083 + const struct vfsmount *mnt, mode_t mode);
20084 +extern __u32 gr_acl_handle_chmod(const struct dentry *dentry,
20085 + const struct vfsmount *mnt, mode_t mode);
20086 +extern __u32 gr_acl_handle_chown(const struct dentry *dentry,
20087 + const struct vfsmount *mnt);
20088 +extern int gr_handle_ptrace(struct task_struct *task, const long request);
20089 +extern int gr_handle_proc_ptrace(struct task_struct *task);
20090 +extern __u32 gr_acl_handle_execve(const struct dentry *dentry,
20091 + const struct vfsmount *mnt);
20092 +extern int gr_check_crash_exec(const struct file *filp);
20093 +extern int gr_acl_is_enabled(void);
20094 +extern void gr_set_kernel_label(struct task_struct *task);
20095 +extern void gr_set_role_label(struct task_struct *task, const uid_t uid,
20096 + const gid_t gid);
20097 +extern int gr_set_proc_label(const struct dentry *dentry,
20098 + const struct vfsmount *mnt);
20099 +extern __u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
20100 + const struct vfsmount *mnt);
20101 +extern __u32 gr_acl_handle_open(const struct dentry *dentry,
20102 + const struct vfsmount *mnt, const int fmode);
20103 +extern __u32 gr_acl_handle_creat(const struct dentry *dentry,
20104 + const struct dentry *p_dentry,
20105 + const struct vfsmount *p_mnt, const int fmode,
20106 + const int imode);
20107 +extern void gr_handle_create(const struct dentry *dentry,
20108 + const struct vfsmount *mnt);
20109 +extern __u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
20110 + const struct dentry *parent_dentry,
20111 + const struct vfsmount *parent_mnt,
20113 +extern __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
20114 + const struct dentry *parent_dentry,
20115 + const struct vfsmount *parent_mnt);
20116 +extern __u32 gr_acl_handle_rmdir(const struct dentry *dentry,
20117 + const struct vfsmount *mnt);
20118 +extern void gr_handle_delete(const ino_t ino, const dev_t dev);
20119 +extern __u32 gr_acl_handle_unlink(const struct dentry *dentry,
20120 + const struct vfsmount *mnt);
20121 +extern __u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
20122 + const struct dentry *parent_dentry,
20123 + const struct vfsmount *parent_mnt,
20124 + const char *from);
20125 +extern __u32 gr_acl_handle_link(const struct dentry *new_dentry,
20126 + const struct dentry *parent_dentry,
20127 + const struct vfsmount *parent_mnt,
20128 + const struct dentry *old_dentry,
20129 + const struct vfsmount *old_mnt, const char *to);
20130 +extern int gr_acl_handle_rename(struct dentry *new_dentry,
20131 + struct dentry *parent_dentry,
20132 + const struct vfsmount *parent_mnt,
20133 + struct dentry *old_dentry,
20134 + struct inode *old_parent_inode,
20135 + struct vfsmount *old_mnt, const char *newname);
20136 +extern void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
20137 + struct dentry *old_dentry,
20138 + struct dentry *new_dentry,
20139 + struct vfsmount *mnt, const __u8 replace);
20140 +extern __u32 gr_check_link(const struct dentry *new_dentry,
20141 + const struct dentry *parent_dentry,
20142 + const struct vfsmount *parent_mnt,
20143 + const struct dentry *old_dentry,
20144 + const struct vfsmount *old_mnt);
20145 +extern int gr_acl_handle_filldir(const struct file *file, const char *name,
20146 + const unsigned int namelen, const ino_t ino);
20148 +extern __u32 gr_acl_handle_unix(const struct dentry *dentry,
20149 + const struct vfsmount *mnt);
20150 +extern void gr_acl_handle_exit(void);
20151 +extern void gr_acl_handle_psacct(struct task_struct *task, const long code);
20152 +extern int gr_acl_handle_procpidmem(const struct task_struct *task);
20153 +extern __u32 gr_cap_rtnetlink(void);
20155 +#ifdef CONFIG_SYSVIPC
20156 +extern void gr_shm_exit(struct task_struct *task);
20158 +static inline void gr_shm_exit(struct task_struct *task)
20164 +#ifdef CONFIG_GRKERNSEC
20165 +extern void gr_handle_mem_write(void);
20166 +extern void gr_handle_kmem_write(void);
20167 +extern void gr_handle_open_port(void);
20168 +extern int gr_handle_mem_mmap(const unsigned long offset,
20169 + struct vm_area_struct *vma);
20171 +extern unsigned long pax_get_random_long(void);
20172 +#define get_random_long() pax_get_random_long()
20174 +extern int grsec_enable_dmesg;
20175 +extern int grsec_enable_randsrc;
20176 +extern int grsec_enable_shm;
20180 diff -urNp linux-2.6.16.12/include/linux/mman.h linux-2.6.16.12/include/linux/mman.h
20181 --- linux-2.6.16.12/include/linux/mman.h 2006-05-01 15:14:26.000000000 -0400
20182 +++ linux-2.6.16.12/include/linux/mman.h 2006-05-01 20:17:34.000000000 -0400
20183 @@ -59,6 +59,11 @@ static inline unsigned long
20184 calc_vm_flag_bits(unsigned long flags)
20186 return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) |
20188 +#ifdef CONFIG_PAX_SEGMEXEC
20189 + _calc_vm_trans(flags, MAP_MIRROR, VM_MIRROR) |
20192 _calc_vm_trans(flags, MAP_DENYWRITE, VM_DENYWRITE ) |
20193 _calc_vm_trans(flags, MAP_EXECUTABLE, VM_EXECUTABLE) |
20194 _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED );
20195 diff -urNp linux-2.6.16.12/include/linux/mm.h linux-2.6.16.12/include/linux/mm.h
20196 --- linux-2.6.16.12/include/linux/mm.h 2006-05-01 15:14:26.000000000 -0400
20197 +++ linux-2.6.16.12/include/linux/mm.h 2006-05-01 20:17:34.000000000 -0400
20198 @@ -38,6 +38,7 @@ extern int sysctl_legacy_va_layout;
20199 #include <asm/pgtable.h>
20200 #include <asm/processor.h>
20201 #include <asm/atomic.h>
20202 +#include <asm/mman.h>
20204 #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
20206 @@ -111,8 +112,43 @@ struct vm_area_struct {
20208 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
20211 + unsigned long vm_mirror; /* PaX: mirror distance */
20214 +#ifdef CONFIG_PAX_SOFTMODE
20215 +extern unsigned int pax_softmode;
20218 +extern int pax_check_flags(unsigned long *);
20220 +/* if tsk != current then task_lock must be held on it */
20221 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
20222 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
20224 + if (likely(tsk->mm))
20225 + return tsk->mm->pax_flags;
20230 +/* if tsk != current then task_lock must be held on it */
20231 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
20233 + if (likely(tsk->mm)) {
20234 + tsk->mm->pax_flags = flags;
20241 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
20242 +extern void pax_set_initial_flags(struct linux_binprm * bprm);
20243 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
20244 +extern void (*pax_set_initial_flags_func)(struct linux_binprm * bprm);
20248 * This struct defines the per-mm list of VMAs for uClinux. If CONFIG_MMU is
20249 * disabled, then there's a single shared list of VMAs maintained by the
20250 @@ -167,6 +203,18 @@ extern unsigned int kobjsize(const void
20251 #define VM_MAPPED_COPY 0x01000000 /* T if mapped copy of data (nommu mmap) */
20252 #define VM_INSERTPAGE 0x02000000 /* The vma has had "vm_insert_page()" done on it */
20254 +#ifdef CONFIG_PAX_SEGMEXEC
20255 +#define VM_MIRROR 0x04000000 /* vma is mirroring another */
20258 +#ifdef CONFIG_PAX_MPROTECT
20259 +#define VM_MAYNOTWRITE 0x08000000 /* vma cannot be granted VM_WRITE any more */
20262 +#ifdef __VM_STACK_FLAGS
20263 +#define VM_STACK_DEFAULT_FLAGS (0x00000033 | __VM_STACK_FLAGS)
20266 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
20267 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
20269 @@ -1056,5 +1104,11 @@ void drop_slab(void);
20270 extern int randomize_va_space;
20273 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
20274 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
20276 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
20279 #endif /* __KERNEL__ */
20280 #endif /* _LINUX_MM_H */
20281 diff -urNp linux-2.6.16.12/include/linux/module.h linux-2.6.16.12/include/linux/module.h
20282 --- linux-2.6.16.12/include/linux/module.h 2006-05-01 15:14:26.000000000 -0400
20283 +++ linux-2.6.16.12/include/linux/module.h 2006-05-01 20:17:34.000000000 -0400
20284 @@ -263,16 +263,16 @@ struct module
20287 /* If this is non-NULL, vfree after init() returns */
20288 - void *module_init;
20289 + void *module_init_rx, *module_init_rw;
20291 /* Here is the actual code + data, vfree'd on unload. */
20292 - void *module_core;
20293 + void *module_core_rx, *module_core_rw;
20295 /* Here are the sizes of the init and core sections */
20296 - unsigned long init_size, core_size;
20297 + unsigned long init_size_rw, core_size_rw;
20299 /* The size of the executable code in each section. */
20300 - unsigned long init_text_size, core_text_size;
20301 + unsigned long init_size_rx, core_size_rx;
20303 /* Arch-specific module values */
20304 struct mod_arch_specific arch;
20305 diff -urNp linux-2.6.16.12/include/linux/moduleloader.h linux-2.6.16.12/include/linux/moduleloader.h
20306 --- linux-2.6.16.12/include/linux/moduleloader.h 2006-05-01 15:14:26.000000000 -0400
20307 +++ linux-2.6.16.12/include/linux/moduleloader.h 2006-05-01 20:17:34.000000000 -0400
20308 @@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
20309 sections. Returns NULL on failure. */
20310 void *module_alloc(unsigned long size);
20312 +#ifdef CONFIG_PAX_KERNEXEC
20313 +void *module_alloc_exec(unsigned long size);
20315 +#define module_alloc_exec(x) module_alloc(x)
20318 /* Free memory returned from module_alloc. */
20319 void module_free(struct module *mod, void *module_region);
20321 +#ifdef CONFIG_PAX_KERNEXEC
20322 +void module_free_exec(struct module *mod, void *module_region);
20324 +#define module_free_exec(x, y) module_free(x, y)
20327 /* Apply the given relocation to the (simplified) ELF. Return -error
20329 int apply_relocate(Elf_Shdr *sechdrs,
20330 diff -urNp linux-2.6.16.12/include/linux/random.h linux-2.6.16.12/include/linux/random.h
20331 --- linux-2.6.16.12/include/linux/random.h 2006-05-01 15:14:26.000000000 -0400
20332 +++ linux-2.6.16.12/include/linux/random.h 2006-05-01 20:17:34.000000000 -0400
20333 @@ -62,6 +62,8 @@ extern __u32 secure_tcpv6_sequence_numbe
20334 extern u64 secure_dccp_sequence_number(__u32 saddr, __u32 daddr,
20335 __u16 sport, __u16 dport);
20337 +extern unsigned long pax_get_random_long(void);
20340 extern struct file_operations random_fops, urandom_fops;
20342 diff -urNp linux-2.6.16.12/include/linux/sched.h linux-2.6.16.12/include/linux/sched.h
20343 --- linux-2.6.16.12/include/linux/sched.h 2006-05-01 15:14:26.000000000 -0400
20344 +++ linux-2.6.16.12/include/linux/sched.h 2006-05-01 20:17:34.000000000 -0400
20346 #include <linux/auxvec.h> /* For AT_VECTOR_SIZE */
20348 struct exec_domain;
20349 +struct linux_binprm;
20353 @@ -355,8 +356,34 @@ struct mm_struct {
20355 rwlock_t ioctx_list_lock;
20356 struct kioctx *ioctx_list;
20358 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
20359 + unsigned long pax_flags;
20362 +#ifdef CONFIG_PAX_DLRESOLVE
20363 + unsigned long call_dl_resolve;
20366 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
20367 + unsigned long call_syscall;
20370 +#ifdef CONFIG_PAX_ASLR
20371 + unsigned long delta_mmap; /* randomized offset */
20372 + unsigned long delta_exec; /* randomized offset */
20373 + unsigned long delta_stack; /* randomized offset */
20378 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
20379 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
20380 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
20381 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
20382 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
20383 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
20385 struct sighand_struct {
20387 struct k_sigaction action[_NSIG];
20388 @@ -461,6 +488,15 @@ struct signal_struct {
20389 struct key *session_keyring; /* keyring inherited over fork */
20390 struct key *process_keyring; /* keyring private to this process */
20393 +#ifdef CONFIG_GRKERNSEC
20399 + u8 used_accept:1;
20403 /* Context switch must be unlocked if interrupts are to be enabled */
20404 @@ -886,6 +912,16 @@ struct task_struct {
20405 nodemask_t mems_allowed;
20406 int cpuset_mems_generation;
20408 +#ifdef CONFIG_GRKERNSEC
20410 + struct acl_subject_label *acl;
20411 + struct acl_role_label *role;
20412 + struct file *exec_file;
20414 + u8 acl_sp_role:1;
20415 + u8 is_writable:1;
20418 atomic_t fs_excl; /* holding fs exclusive resources */
20419 struct rcu_head rcu;
20421 @@ -1402,6 +1442,12 @@ extern void arch_pick_mmap_layout(struct
20422 static inline void arch_pick_mmap_layout(struct mm_struct *mm)
20424 mm->mmap_base = TASK_UNMAPPED_BASE;
20426 +#ifdef CONFIG_PAX_RANDMMAP
20427 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20428 + mm->mmap_base += mm->delta_mmap;
20431 mm->get_unmapped_area = arch_get_unmapped_area;
20432 mm->unmap_area = arch_unmap_area;
20434 diff -urNp linux-2.6.16.12/include/linux/shm.h linux-2.6.16.12/include/linux/shm.h
20435 --- linux-2.6.16.12/include/linux/shm.h 2006-05-01 15:14:26.000000000 -0400
20436 +++ linux-2.6.16.12/include/linux/shm.h 2006-05-01 20:17:34.000000000 -0400
20437 @@ -86,6 +86,10 @@ struct shmid_kernel /* private to the ke
20440 struct user_struct *mlock_user;
20441 +#ifdef CONFIG_GRKERNSEC
20442 + time_t shm_createtime;
20447 /* shm_mode upper byte flags */
20448 diff -urNp linux-2.6.16.12/include/linux/sysctl.h linux-2.6.16.12/include/linux/sysctl.h
20449 --- linux-2.6.16.12/include/linux/sysctl.h 2006-05-01 15:14:26.000000000 -0400
20450 +++ linux-2.6.16.12/include/linux/sysctl.h 2006-05-01 20:17:34.000000000 -0400
20452 INOTIFY_MAX_QUEUED_EVENTS=3 /* max queued events per instance */
20455 +#ifdef CONFIG_PAX_SOFTMODE
20457 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
20461 /* CTL_KERN names: */
20464 +#ifdef CONFIG_GRKERNSEC
20465 + KERN_GRSECURITY=98, /* grsecurity */
20467 +#ifdef CONFIG_PAX_SOFTMODE
20468 + KERN_PAX=99, /* PaX control */
20470 KERN_OSTYPE=1, /* string: system version */
20471 KERN_OSRELEASE=2, /* string: system release */
20472 KERN_OSREV=3, /* int: system revision */
20473 diff -urNp linux-2.6.16.12/init/Kconfig linux-2.6.16.12/init/Kconfig
20474 --- linux-2.6.16.12/init/Kconfig 2006-05-01 15:14:26.000000000 -0400
20475 +++ linux-2.6.16.12/init/Kconfig 2006-05-01 20:17:34.000000000 -0400
20476 @@ -257,6 +257,7 @@ menuconfig EMBEDDED
20478 bool "Load all symbols for debugging/kksymoops" if EMBEDDED
20480 + depends on !GRKERNSEC_HIDESYM
20482 Say Y here to let the kernel print out symbolic crash information and
20483 symbolic stack backtraces. This increases the size of the kernel
20484 diff -urNp linux-2.6.16.12/init/main.c linux-2.6.16.12/init/main.c
20485 --- linux-2.6.16.12/init/main.c 2006-05-01 15:14:26.000000000 -0400
20486 +++ linux-2.6.16.12/init/main.c 2006-05-01 20:17:34.000000000 -0400
20487 @@ -100,6 +100,7 @@ static inline void mark_rodata_ro(void)
20489 extern void tc_init(void);
20491 +extern void grsecurity_init(void);
20493 enum system_states system_state;
20494 EXPORT_SYMBOL(system_state);
20495 @@ -150,6 +151,15 @@ static int __init maxcpus(char *str)
20497 __setup("maxcpus=", maxcpus);
20499 +#ifdef CONFIG_PAX_SOFTMODE
20500 +static int __init setup_pax_softmode(char *str)
20502 + get_option(&str, &pax_softmode);
20505 +__setup("pax_softmode=", setup_pax_softmode);
20508 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
20509 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
20510 static const char *panic_later, *panic_param;
20511 @@ -701,6 +711,8 @@ static int init(void * unused)
20512 prepare_namespace();
20515 + grsecurity_init();
20518 * Ok, we have completed the initial bootup, and
20519 * we're essentially up and running. Get rid of the
20520 diff -urNp linux-2.6.16.12/ipc/msg.c linux-2.6.16.12/ipc/msg.c
20521 --- linux-2.6.16.12/ipc/msg.c 2006-05-01 15:14:26.000000000 -0400
20522 +++ linux-2.6.16.12/ipc/msg.c 2006-05-01 20:17:34.000000000 -0400
20524 #include <linux/syscalls.h>
20525 #include <linux/audit.h>
20526 #include <linux/seq_file.h>
20527 +#include <linux/grsecurity.h>
20528 #include <asm/current.h>
20529 #include <asm/uaccess.h>
20531 @@ -234,6 +235,9 @@ asmlinkage long sys_msgget (key_t key, i
20536 + gr_log_msgget(ret, msgflg);
20541 @@ -485,6 +489,8 @@ asmlinkage long sys_msgctl (int msqid, i
20545 + gr_log_msgrm(ipcp->uid, ipcp->cuid);
20547 freeque (msq, msqid);
20550 diff -urNp linux-2.6.16.12/ipc/sem.c linux-2.6.16.12/ipc/sem.c
20551 --- linux-2.6.16.12/ipc/sem.c 2006-05-01 15:14:26.000000000 -0400
20552 +++ linux-2.6.16.12/ipc/sem.c 2006-05-01 20:17:34.000000000 -0400
20554 #include <linux/capability.h>
20555 #include <linux/seq_file.h>
20556 #include <linux/vs_limit.h>
20557 +#include <linux/grsecurity.h>
20558 #include <asm/uaccess.h>
20561 @@ -247,6 +248,9 @@ asmlinkage long sys_semget (key_t key, i
20566 + gr_log_semget(err, semflg);
20571 @@ -840,6 +844,8 @@ static int semctl_down(int semid, int se
20575 + gr_log_semrm(ipcp->uid, ipcp->cuid);
20577 freeary(sma, semid);
20580 diff -urNp linux-2.6.16.12/ipc/shm.c linux-2.6.16.12/ipc/shm.c
20581 --- linux-2.6.16.12/ipc/shm.c 2006-05-01 15:14:26.000000000 -0400
20582 +++ linux-2.6.16.12/ipc/shm.c 2006-05-01 20:17:34.000000000 -0400
20584 #include <linux/seq_file.h>
20585 #include <linux/vs_context.h>
20586 #include <linux/vs_limit.h>
20587 +#include <linux/grsecurity.h>
20589 #include <asm/uaccess.h>
20591 @@ -55,6 +56,14 @@ static void shm_close (struct vm_area_st
20592 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
20595 +#ifdef CONFIG_GRKERNSEC
20596 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
20597 + const time_t shm_createtime, const uid_t cuid,
20598 + const int shmid);
20599 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
20600 + const time_t shm_createtime);
20603 size_t shm_ctlmax = SHMMAX;
20604 size_t shm_ctlall = SHMALL;
20605 int shm_ctlmni = SHMMNI;
20606 @@ -154,6 +163,17 @@ static void shm_close (struct vm_area_st
20607 shp->shm_lprid = current->tgid;
20608 shp->shm_dtim = get_seconds();
20610 +#ifdef CONFIG_GRKERNSEC_SHM
20611 + if (grsec_enable_shm) {
20612 + if (shp->shm_nattch == 0) {
20613 + shp->shm_perm.mode |= SHM_DEST;
20614 + shm_destroy(shp);
20617 + up(&shm_ids.sem);
20621 if(shp->shm_nattch == 0 &&
20622 shp->shm_perm.mode & SHM_DEST)
20624 @@ -256,6 +276,9 @@ static int newseg (key_t key, int shmflg
20625 shp->shm_lprid = 0;
20626 shp->shm_atim = shp->shm_dtim = 0;
20627 shp->shm_ctim = get_seconds();
20628 +#ifdef CONFIG_GRKERNSEC
20629 + shp->shm_createtime = get_seconds();
20631 shp->shm_segsz = size;
20632 shp->shm_nattch = 0;
20633 shp->id = shm_buildid(id,shp->shm_perm.seq);
20634 @@ -312,6 +335,8 @@ asmlinkage long sys_shmget (key_t key, s
20638 + gr_log_shmget(err, shmflg, size);
20643 @@ -617,6 +642,8 @@ asmlinkage long sys_shmctl (int shmid, i
20645 goto out_unlock_up;
20647 + gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
20649 if (shp->shm_nattch){
20650 shp->shm_perm.mode |= SHM_DEST;
20651 /* Do not find it any more */
20652 @@ -761,9 +788,27 @@ long do_shmat(int shmid, char __user *sh
20656 +#ifdef CONFIG_GRKERNSEC
20657 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
20658 + shp->shm_perm.cuid, shmid)) {
20663 + if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
20669 file = shp->shm_file;
20670 size = i_size_read(file->f_dentry->d_inode);
20673 +#ifdef CONFIG_GRKERNSEC
20674 + shp->shm_lapid = current->pid;
20679 down_write(¤t->mm->mmap_sem);
20680 @@ -933,3 +978,24 @@ static int sysvipc_shm_proc_show(struct
20685 +void gr_shm_exit(struct task_struct *task)
20687 +#ifdef CONFIG_GRKERNSEC_SHM
20689 + struct shmid_kernel *shp;
20691 + if (!grsec_enable_shm)
20694 + for (i = 0; i <= shm_ids.max_id; i++) {
20695 + shp = shm_get(i);
20696 + if (shp && (shp->shm_cprid == task->pid) &&
20697 + (shp->shm_nattch <= 0)) {
20698 + shp->shm_perm.mode |= SHM_DEST;
20699 + shm_destroy(shp);
20705 diff -urNp linux-2.6.16.12/kernel/capability.c linux-2.6.16.12/kernel/capability.c
20706 --- linux-2.6.16.12/kernel/capability.c 2006-05-01 15:14:26.000000000 -0400
20707 +++ linux-2.6.16.12/kernel/capability.c 2006-05-01 20:17:34.000000000 -0400
20709 #include <linux/security.h>
20710 #include <linux/syscalls.h>
20711 #include <linux/vs_pid.h>
20712 +#include <linux/grsecurity.h>
20713 #include <asm/uaccess.h>
20715 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
20716 diff -urNp linux-2.6.16.12/kernel/configs.c linux-2.6.16.12/kernel/configs.c
20717 --- linux-2.6.16.12/kernel/configs.c 2006-05-01 15:14:26.000000000 -0400
20718 +++ linux-2.6.16.12/kernel/configs.c 2006-05-01 20:17:34.000000000 -0400
20719 @@ -89,8 +89,16 @@ static int __init ikconfig_init(void)
20720 struct proc_dir_entry *entry;
20722 /* create the current config file */
20723 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
20724 +#ifdef CONFIG_GRKERNSEC_PROC_USER
20725 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
20726 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
20727 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
20730 entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
20736 diff -urNp linux-2.6.16.12/kernel/exit.c linux-2.6.16.12/kernel/exit.c
20737 --- linux-2.6.16.12/kernel/exit.c 2006-05-01 15:14:26.000000000 -0400
20738 +++ linux-2.6.16.12/kernel/exit.c 2006-05-01 20:17:34.000000000 -0400
20740 #include <linux/vs_context.h>
20741 #include <linux/vs_network.h>
20742 #include <linux/vs_pid.h>
20743 +#include <linux/grsecurity.h>
20745 +#ifdef CONFIG_GRKERNSEC
20746 +extern rwlock_t grsec_exec_file_lock;
20749 #include <asm/uaccess.h>
20750 #include <asm/unistd.h>
20751 @@ -238,6 +244,15 @@ static void reparent_to_init(void)
20753 write_lock_irq(&tasklist_lock);
20755 +#ifdef CONFIG_GRKERNSEC
20756 + write_lock(&grsec_exec_file_lock);
20757 + if (current->exec_file) {
20758 + fput(current->exec_file);
20759 + current->exec_file = NULL;
20761 + write_unlock(&grsec_exec_file_lock);
20764 ptrace_unlink(current);
20765 /* Reparent to init */
20766 REMOVE_LINKS(current);
20767 @@ -245,6 +259,8 @@ static void reparent_to_init(void)
20768 current->real_parent = child_reaper;
20769 SET_LINKS(current);
20771 + gr_set_kernel_label(current);
20773 /* Set the exit signal to SIGCHLD so we signal init on exit */
20774 current->exit_signal = SIGCHLD;
20776 @@ -341,6 +357,17 @@ void daemonize(const char *name, ...)
20777 vsnprintf(current->comm, sizeof(current->comm), name, args);
20780 +#ifdef CONFIG_GRKERNSEC
20781 + write_lock(&grsec_exec_file_lock);
20782 + if (current->exec_file) {
20783 + fput(current->exec_file);
20784 + current->exec_file = NULL;
20786 + write_unlock(&grsec_exec_file_lock);
20789 + gr_set_kernel_label(current);
20792 * If we were started as result of loading a module, close all of the
20793 * user space pages. We don't need them, and if we didn't close them
20794 @@ -863,9 +890,14 @@ fastcall NORET_TYPE void do_exit(long co
20795 exit_itimers(tsk->signal);
20796 acct_process(code);
20799 + gr_acl_handle_psacct(tsk, code);
20800 + gr_acl_handle_exit();
20805 + gr_shm_exit(tsk);
20808 exit_namespace(tsk);
20809 diff -urNp linux-2.6.16.12/kernel/fork.c linux-2.6.16.12/kernel/fork.c
20810 --- linux-2.6.16.12/kernel/fork.c 2006-05-01 15:14:26.000000000 -0400
20811 +++ linux-2.6.16.12/kernel/fork.c 2006-05-01 20:17:34.000000000 -0400
20813 #include <linux/vs_network.h>
20814 #include <linux/vs_limit.h>
20815 #include <linux/vs_memory.h>
20816 +#include <linux/grsecurity.h>
20818 #include <asm/pgtable.h>
20819 #include <asm/pgalloc.h>
20820 @@ -207,8 +208,8 @@ static inline int dup_mmap(struct mm_str
20823 mm->mmap_cache = NULL;
20824 - mm->free_area_cache = oldmm->mmap_base;
20825 - mm->cached_hole_size = ~0UL;
20826 + mm->free_area_cache = oldmm->free_area_cache;
20827 + mm->cached_hole_size = oldmm->cached_hole_size;
20829 __set_mm_counter(mm, file_rss, 0);
20830 __set_mm_counter(mm, anon_rss, 0);
20831 @@ -333,7 +334,7 @@ static struct mm_struct * mm_init(struct
20832 spin_lock_init(&mm->page_table_lock);
20833 rwlock_init(&mm->ioctx_list_lock);
20834 mm->ioctx_list = NULL;
20835 - mm->free_area_cache = TASK_UNMAPPED_BASE;
20836 + mm->free_area_cache = ~0UL;
20837 mm->cached_hole_size = ~0UL;
20839 if (likely(!mm_alloc_pgd(mm))) {
20840 @@ -1013,6 +1014,9 @@ static task_t *copy_process(unsigned lon
20841 if (!vx_nproc_avail(1))
20842 goto bad_fork_cleanup_vm;
20845 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
20847 if (atomic_read(&p->user->processes) >=
20848 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
20849 if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
20850 @@ -1122,6 +1126,8 @@ static task_t *copy_process(unsigned lon
20852 goto bad_fork_cleanup_namespace;
20854 + gr_copy_label(p);
20856 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
20858 * Clear TID on mm_release()?
20859 @@ -1321,6 +1327,8 @@ bad_fork_cleanup_count:
20863 + gr_log_forkfail(retval);
20865 return ERR_PTR(retval);
20868 @@ -1387,6 +1395,8 @@ long do_fork(unsigned long clone_flags,
20872 + gr_handle_brute_check();
20874 if (unlikely(current->ptrace)) {
20875 trace = fork_traceflag (clone_flags);
20877 diff -urNp linux-2.6.16.12/kernel/futex.c linux-2.6.16.12/kernel/futex.c
20878 --- linux-2.6.16.12/kernel/futex.c 2006-05-01 15:14:26.000000000 -0400
20879 +++ linux-2.6.16.12/kernel/futex.c 2006-05-01 20:17:34.000000000 -0400
20880 @@ -147,6 +147,11 @@ static int get_futex_key(unsigned long u
20884 +#ifdef CONFIG_PAX_SEGMEXEC
20885 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (uaddr >= SEGMEXEC_TASK_SIZE))
20890 * The futex address must be "naturally" aligned.
20892 diff -urNp linux-2.6.16.12/kernel/kallsyms.c linux-2.6.16.12/kernel/kallsyms.c
20893 --- linux-2.6.16.12/kernel/kallsyms.c 2006-05-01 15:14:26.000000000 -0400
20894 +++ linux-2.6.16.12/kernel/kallsyms.c 2006-05-01 20:17:34.000000000 -0400
20895 @@ -301,7 +301,6 @@ static unsigned long get_ksymbol_core(st
20897 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
20899 - iter->name[0] = '\0';
20900 iter->nameoff = get_symbol_offset(new_pos);
20901 iter->pos = new_pos;
20903 @@ -380,7 +379,7 @@ static int kallsyms_open(struct inode *i
20904 struct kallsym_iter *iter;
20907 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
20908 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
20911 reset_iter(iter, 0);
20912 @@ -411,7 +410,15 @@ static int __init kallsyms_init(void)
20914 struct proc_dir_entry *entry;
20916 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
20917 +#ifdef CONFIG_GRKERNSEC_PROC_USER
20918 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
20919 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
20920 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
20923 entry = create_proc_entry("kallsyms", 0444, NULL);
20926 entry->proc_fops = &kallsyms_operations;
20928 diff -urNp linux-2.6.16.12/kernel/kprobes.c linux-2.6.16.12/kernel/kprobes.c
20929 --- linux-2.6.16.12/kernel/kprobes.c 2006-05-01 15:14:26.000000000 -0400
20930 +++ linux-2.6.16.12/kernel/kprobes.c 2006-05-01 20:17:34.000000000 -0400
20931 @@ -106,7 +106,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
20932 * kernel image and loaded module images reside. This is required
20933 * so x86_64 can correctly handle the %rip-relative fixups.
20935 - kip->insns = module_alloc(PAGE_SIZE);
20936 + kip->insns = module_alloc_exec(PAGE_SIZE);
20940 diff -urNp linux-2.6.16.12/kernel/module.c linux-2.6.16.12/kernel/module.c
20941 --- linux-2.6.16.12/kernel/module.c 2006-05-01 15:14:26.000000000 -0400
20942 +++ linux-2.6.16.12/kernel/module.c 2006-05-01 20:17:34.000000000 -0400
20943 @@ -39,10 +39,15 @@
20944 #include <linux/device.h>
20945 #include <linux/string.h>
20946 #include <linux/sched.h>
20947 +#include <linux/kallsyms.h>
20948 #include <asm/uaccess.h>
20949 #include <asm/semaphore.h>
20950 #include <asm/cacheflush.h>
20952 +#ifdef CONFIG_PAX_KERNEXEC
20953 +#include <asm/desc.h>
20957 #define DEBUGP printk
20959 @@ -66,6 +71,8 @@ static LIST_HEAD(modules);
20960 static DECLARE_MUTEX(notify_mutex);
20961 static struct notifier_block * module_notify_list;
20963 +extern int gr_check_modstop(void);
20965 int register_module_notifier(struct notifier_block * nb)
20968 @@ -576,6 +583,9 @@ sys_delete_module(const char __user *nam
20969 char name[MODULE_NAME_LEN];
20970 int ret, forced = 0;
20972 + if (gr_check_modstop())
20975 if (!capable(CAP_SYS_MODULE))
20978 @@ -1178,13 +1188,15 @@ static void free_module(struct module *m
20979 module_unload_free(mod);
20981 /* This may be NULL, but that's OK */
20982 - module_free(mod, mod->module_init);
20983 + module_free(mod, mod->module_init_rw);
20984 + module_free_exec(mod, mod->module_init_rx);
20987 percpu_modfree(mod->percpu);
20989 /* Finally, free the core (containing the module structure) */
20990 - module_free(mod, mod->module_core);
20991 + module_free_exec(mod, mod->module_core_rx);
20992 + module_free(mod, mod->module_core_rw);
20995 void *__symbol_get(const char *symbol)
20996 @@ -1341,11 +1353,14 @@ static void layout_sections(struct modul
20997 || strncmp(secstrings + s->sh_name,
21000 - s->sh_entsize = get_offset(&mod->core_size, s);
21001 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
21002 + s->sh_entsize = get_offset(&mod->core_size_rw, s);
21004 + s->sh_entsize = get_offset(&mod->core_size_rx, s);
21005 DEBUGP("\t%s\n", secstrings + s->sh_name);
21008 - mod->core_text_size = mod->core_size;
21009 + mod->core_size_rx = mod->core_size_rx;
21012 DEBUGP("Init section allocation order:\n");
21013 @@ -1359,12 +1374,15 @@ static void layout_sections(struct modul
21014 || strncmp(secstrings + s->sh_name,
21017 - s->sh_entsize = (get_offset(&mod->init_size, s)
21018 - | INIT_OFFSET_MASK);
21019 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
21020 + s->sh_entsize = get_offset(&mod->init_size_rw, s);
21022 + s->sh_entsize = get_offset(&mod->init_size_rx, s);
21023 + s->sh_entsize |= INIT_OFFSET_MASK;
21024 DEBUGP("\t%s\n", secstrings + s->sh_name);
21027 - mod->init_text_size = mod->init_size;
21028 + mod->init_size_rx = mod->init_size_rx;
21032 @@ -1545,6 +1563,10 @@ static struct module *load_module(void _
21033 struct exception_table_entry *extable;
21034 mm_segment_t old_fs;
21036 +#ifdef CONFIG_PAX_KERNEXEC
21037 + unsigned long cr0;
21040 DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
21042 if (len < sizeof(*hdr))
21043 @@ -1704,21 +1726,57 @@ static struct module *load_module(void _
21044 layout_sections(mod, hdr, sechdrs, secstrings);
21046 /* Do the allocs. */
21047 - ptr = module_alloc(mod->core_size);
21048 + ptr = module_alloc(mod->core_size_rw);
21053 - memset(ptr, 0, mod->core_size);
21054 - mod->module_core = ptr;
21055 + memset(ptr, 0, mod->core_size_rw);
21056 + mod->module_core_rw = ptr;
21058 + ptr = module_alloc(mod->init_size_rw);
21059 + if (!ptr && mod->init_size_rw) {
21061 + goto free_core_rw;
21063 + memset(ptr, 0, mod->init_size_rw);
21064 + mod->module_init_rw = ptr;
21066 + ptr = module_alloc_exec(mod->core_size_rx);
21069 + goto free_init_rw;
21072 +#ifdef CONFIG_PAX_KERNEXEC
21073 + pax_open_kernel(cr0);
21076 + memset(ptr, 0, mod->core_size_rx);
21078 +#ifdef CONFIG_PAX_KERNEXEC
21079 + pax_close_kernel(cr0);
21082 + mod->module_core_rx = ptr;
21084 - ptr = module_alloc(mod->init_size);
21085 - if (!ptr && mod->init_size) {
21086 + ptr = module_alloc_exec(mod->init_size_rx);
21087 + if (!ptr && mod->init_size_rx) {
21090 + goto free_core_rx;
21092 - memset(ptr, 0, mod->init_size);
21093 - mod->module_init = ptr;
21095 +#ifdef CONFIG_PAX_KERNEXEC
21096 + pax_open_kernel(cr0);
21099 + memset(ptr, 0, mod->init_size_rx);
21101 +#ifdef CONFIG_PAX_KERNEXEC
21102 + pax_close_kernel(cr0);
21105 + mod->module_init_rx = ptr;
21107 /* Transfer each section which specifies SHF_ALLOC */
21108 DEBUGP("final section addresses:\n");
21109 @@ -1728,17 +1786,44 @@ static struct module *load_module(void _
21110 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
21113 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
21114 - dest = mod->module_init
21115 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
21117 - dest = mod->module_core + sechdrs[i].sh_entsize;
21118 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
21119 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
21120 + dest = mod->module_init_rw
21121 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
21123 + dest = mod->module_init_rx
21124 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
21126 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
21127 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
21129 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
21132 - if (sechdrs[i].sh_type != SHT_NOBITS)
21133 - memcpy(dest, (void *)sechdrs[i].sh_addr,
21134 - sechdrs[i].sh_size);
21135 + if (sechdrs[i].sh_type != SHT_NOBITS) {
21137 +#ifdef CONFIG_PAX_KERNEXEC
21138 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC))
21139 + pax_open_kernel(cr0);
21142 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
21144 +#ifdef CONFIG_PAX_KERNEXEC
21145 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC))
21146 + pax_close_kernel(cr0);
21150 /* Update sh_addr to point to copy in image. */
21151 - sechdrs[i].sh_addr = (unsigned long)dest;
21153 +#ifdef CONFIG_PAX_KERNEXEC
21154 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
21155 + sechdrs[i].sh_addr = (unsigned long)dest - __KERNEL_TEXT_OFFSET;
21159 + sechdrs[i].sh_addr = (unsigned long)dest;
21160 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
21162 /* Module has been moved. */
21163 @@ -1761,8 +1846,18 @@ static struct module *load_module(void _
21166 /* Fix up syms, so that st_value is a pointer to location. */
21168 +#ifdef CONFIG_PAX_KERNEXEC
21169 + pax_open_kernel(cr0);
21172 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
21175 +#ifdef CONFIG_PAX_KERNEXEC
21176 + pax_close_kernel(cr0);
21182 @@ -1798,11 +1893,20 @@ static struct module *load_module(void _
21183 if (!(sechdrs[info].sh_flags & SHF_ALLOC))
21186 +#ifdef CONFIG_PAX_KERNEXEC
21187 + pax_open_kernel(cr0);
21190 if (sechdrs[i].sh_type == SHT_REL)
21191 err = apply_relocate(sechdrs, strtab, symindex, i,mod);
21192 else if (sechdrs[i].sh_type == SHT_RELA)
21193 err = apply_relocate_add(sechdrs, strtab, symindex, i,
21196 +#ifdef CONFIG_PAX_KERNEXEC
21197 + pax_close_kernel(cr0);
21203 @@ -1816,14 +1920,31 @@ static struct module *load_module(void _
21204 /* Set up and sort exception table */
21205 mod->num_exentries = sechdrs[exindex].sh_size / sizeof(*mod->extable);
21206 mod->extable = extable = (void *)sechdrs[exindex].sh_addr;
21208 +#ifdef CONFIG_PAX_KERNEXEC
21209 + pax_open_kernel(cr0);
21212 sort_extable(extable, extable + mod->num_exentries);
21214 +#ifdef CONFIG_PAX_KERNEXEC
21215 + pax_close_kernel(cr0);
21218 /* Finally, copy percpu area over. */
21219 percpu_modcopy(mod->percpu, (void *)sechdrs[pcpuindex].sh_addr,
21220 sechdrs[pcpuindex].sh_size);
21222 +#ifdef CONFIG_PAX_KERNEXEC
21223 + pax_open_kernel(cr0);
21226 add_kallsyms(mod, sechdrs, symindex, strindex, secstrings);
21228 +#ifdef CONFIG_PAX_KERNEXEC
21229 + pax_close_kernel(cr0);
21232 err = module_finalize(hdr, sechdrs, mod);
21235 @@ -1837,12 +1958,12 @@ static struct module *load_module(void _
21236 * Do it before processing of module parameters, so the module
21237 * can provide parameter accessor functions of its own.
21239 - if (mod->module_init)
21240 - flush_icache_range((unsigned long)mod->module_init,
21241 - (unsigned long)mod->module_init
21242 - + mod->init_size);
21243 - flush_icache_range((unsigned long)mod->module_core,
21244 - (unsigned long)mod->module_core + mod->core_size);
21245 + if (mod->module_init_rx)
21246 + flush_icache_range((unsigned long)mod->module_init_rx,
21247 + (unsigned long)mod->module_init_rx
21248 + + mod->init_size_rx);
21249 + flush_icache_range((unsigned long)mod->module_core_rx,
21250 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
21254 @@ -1890,9 +2011,13 @@ static struct module *load_module(void _
21255 module_arch_cleanup(mod);
21257 module_unload_free(mod);
21258 - module_free(mod, mod->module_init);
21260 - module_free(mod, mod->module_core);
21261 + module_free_exec(mod, mod->module_init_rx);
21263 + module_free_exec(mod, mod->module_core_rx);
21265 + module_free(mod, mod->module_init_rw);
21267 + module_free(mod, mod->module_core_rw);
21270 percpu_modfree(percpu);
21271 @@ -1928,6 +2053,9 @@ sys_init_module(void __user *umod,
21272 struct module *mod;
21275 + if (gr_check_modstop())
21278 /* Must have permission */
21279 if (!capable(CAP_SYS_MODULE))
21281 @@ -1979,10 +2107,12 @@ sys_init_module(void __user *umod,
21282 mod->state = MODULE_STATE_LIVE;
21283 /* Drop initial reference. */
21285 - module_free(mod, mod->module_init);
21286 - mod->module_init = NULL;
21287 - mod->init_size = 0;
21288 - mod->init_text_size = 0;
21289 + module_free(mod, mod->module_init_rw);
21290 + module_free_exec(mod, mod->module_init_rx);
21291 + mod->module_init_rw = NULL;
21292 + mod->module_init_rx = NULL;
21293 + mod->init_size_rw = 0;
21294 + mod->init_size_rx = 0;
21298 @@ -2013,10 +2143,14 @@ static const char *get_ksymbol(struct mo
21299 unsigned long nextval;
21301 /* At worse, next value is at end of module */
21302 - if (within(addr, mod->module_init, mod->init_size))
21303 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
21305 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
21306 + if (within(addr, mod->module_init_rx, mod->init_size_rx))
21307 + nextval = (unsigned long)mod->module_init_rw;
21308 + else if (within(addr, mod->module_init_rw, mod->init_size_rw))
21309 + nextval = (unsigned long)mod->module_core_rx;
21310 + else if (within(addr, mod->module_core_rx, mod->core_size_rx))
21311 + nextval = (unsigned long)mod->module_core_rw;
21313 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
21315 /* Scan for closest preceeding symbol, and next symbol. (ELF
21316 starts real symbols at 1). */
21317 @@ -2057,8 +2191,10 @@ const char *module_address_lookup(unsign
21318 struct module *mod;
21320 list_for_each_entry(mod, &modules, list) {
21321 - if (within(addr, mod->module_init, mod->init_size)
21322 - || within(addr, mod->module_core, mod->core_size)) {
21323 + if (within(addr, mod->module_init_rx, mod->init_size_rx)
21324 + || within(addr, mod->module_init_rw, mod->init_size_rw)
21325 + || within(addr, mod->module_core_rx, mod->core_size_rx)
21326 + || within(addr, mod->module_core_rw, mod->core_size_rw)) {
21327 *modname = mod->name;
21328 return get_ksymbol(mod, addr, size, offset);
21330 @@ -2069,7 +2205,7 @@ const char *module_address_lookup(unsign
21331 struct module *module_get_kallsym(unsigned int symnum,
21332 unsigned long *value,
21334 - char namebuf[128])
21335 + char namebuf[KSYM_NAME_LEN+1])
21337 struct module *mod;
21339 @@ -2080,7 +2216,7 @@ struct module *module_get_kallsym(unsign
21340 *type = mod->symtab[symnum].st_info;
21342 mod->strtab + mod->symtab[symnum].st_name,
21348 @@ -2157,7 +2293,7 @@ static int m_show(struct seq_file *m, vo
21350 struct module *mod = list_entry(p, struct module, list);
21351 seq_printf(m, "%s %lu",
21352 - mod->name, mod->init_size + mod->core_size);
21353 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
21354 print_unload_info(m, mod);
21356 /* Informative for users. */
21357 @@ -2166,7 +2302,7 @@ static int m_show(struct seq_file *m, vo
21358 mod->state == MODULE_STATE_COMING ? "Loading":
21360 /* Used by oprofile and other similar tools. */
21361 - seq_printf(m, " 0x%p", mod->module_core);
21362 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
21364 seq_printf(m, "\n");
21366 @@ -2214,9 +2350,13 @@ struct module *__module_text_address(uns
21368 struct module *mod;
21370 +#ifdef CONFIG_PAX_KERNEXEC
21371 + addr += __KERNEL_TEXT_OFFSET;
21374 list_for_each_entry(mod, &modules, list)
21375 - if (within(addr, mod->module_init, mod->init_text_size)
21376 - || within(addr, mod->module_core, mod->core_text_size))
21377 + if (within(addr, mod->module_init_rx, mod->init_size_rx)
21378 + || within(addr, mod->module_core_rx, mod->core_size_rx))
21382 diff -urNp linux-2.6.16.12/kernel/pid.c linux-2.6.16.12/kernel/pid.c
21383 --- linux-2.6.16.12/kernel/pid.c 2006-05-01 15:14:26.000000000 -0400
21384 +++ linux-2.6.16.12/kernel/pid.c 2006-05-01 20:17:34.000000000 -0400
21386 #include <linux/init.h>
21387 #include <linux/bootmem.h>
21388 #include <linux/hash.h>
21389 +#include <linux/grsecurity.h>
21391 #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
21392 static struct hlist_head *pid_hash[PIDTYPE_MAX];
21393 @@ -76,7 +77,9 @@ int alloc_pidmap(void)
21394 int i, offset, max_scan, pid, last = last_pid;
21398 + pid = gr_random_pid();
21400 + pid = last_pid + 1;
21401 if (pid >= pid_max)
21402 pid = RESERVED_PIDS;
21403 offset = pid & BITS_PER_PAGE_MASK;
21404 @@ -207,12 +210,18 @@ void fastcall detach_pid(task_t *task, e
21405 task_t *find_task_by_pid_type(int type, int nr)
21408 + task_t *task = NULL;
21410 pid = find_pid(type, nr);
21414 - return pid_task(&pid->pid_list, type);
21415 + task = pid_task(&pid->pid_list, type);
21417 + if (gr_pid_is_chrooted(task))
21423 EXPORT_SYMBOL(find_task_by_pid_type);
21424 diff -urNp linux-2.6.16.12/kernel/posix-cpu-timers.c linux-2.6.16.12/kernel/posix-cpu-timers.c
21425 --- linux-2.6.16.12/kernel/posix-cpu-timers.c 2006-05-01 15:14:26.000000000 -0400
21426 +++ linux-2.6.16.12/kernel/posix-cpu-timers.c 2006-05-01 20:17:34.000000000 -0400
21428 #include <asm/uaccess.h>
21429 #include <linux/errno.h>
21430 #include <linux/vs_pid.h>
21431 +#include <linux/grsecurity.h>
21433 static int check_clock(const clockid_t which_clock)
21435 @@ -1129,6 +1130,7 @@ static void check_process_timers(struct
21436 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
21439 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
21440 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
21442 * At the soft limit, send a SIGXCPU every second.
21443 diff -urNp linux-2.6.16.12/kernel/printk.c linux-2.6.16.12/kernel/printk.c
21444 --- linux-2.6.16.12/kernel/printk.c 2006-05-01 15:14:26.000000000 -0400
21445 +++ linux-2.6.16.12/kernel/printk.c 2006-05-01 20:17:34.000000000 -0400
21447 #include <linux/syscalls.h>
21448 #include <linux/vs_context.h>
21449 #include <linux/vserver/cvirt.h>
21450 +#include <linux/grsecurity.h>
21452 #include <asm/uaccess.h>
21454 @@ -225,6 +226,11 @@ int do_syslog(int type, char __user *buf
21458 +#ifdef CONFIG_GRKERNSEC_DMESG
21459 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
21463 error = security_syslog(type);
21466 diff -urNp linux-2.6.16.12/kernel/ptrace.c linux-2.6.16.12/kernel/ptrace.c
21467 --- linux-2.6.16.12/kernel/ptrace.c 2006-05-01 15:14:26.000000000 -0400
21468 +++ linux-2.6.16.12/kernel/ptrace.c 2006-05-01 20:17:34.000000000 -0400
21470 #include <linux/security.h>
21471 #include <linux/signal.h>
21472 #include <linux/vs_pid.h>
21473 +#include <linux/grsecurity.h>
21475 #include <asm/pgtable.h>
21476 #include <asm/uaccess.h>
21477 @@ -129,10 +130,10 @@ static int may_attach(struct task_struct
21478 (current->uid != task->uid) ||
21479 (current->gid != task->egid) ||
21480 (current->gid != task->sgid) ||
21481 - (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
21482 + (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
21485 - if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
21486 + if (!task->mm->dumpable && !capable_nolog(CAP_SYS_PTRACE))
21489 return security_ptrace(current, task);
21490 @@ -500,6 +501,11 @@ asmlinkage long sys_ptrace(long request,
21492 goto out_put_task_struct;
21494 + if (gr_handle_ptrace(child, request)) {
21496 + goto out_put_task_struct;
21499 ret = arch_ptrace(child, request, addr, data);
21501 goto out_put_task_struct;
21502 diff -urNp linux-2.6.16.12/kernel/resource.c linux-2.6.16.12/kernel/resource.c
21503 --- linux-2.6.16.12/kernel/resource.c 2006-05-01 15:14:26.000000000 -0400
21504 +++ linux-2.6.16.12/kernel/resource.c 2006-05-01 20:17:34.000000000 -0400
21505 @@ -136,10 +136,27 @@ static int __init ioresources_init(void)
21507 struct proc_dir_entry *entry;
21509 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
21510 +#ifdef CONFIG_GRKERNSEC_PROC_USER
21511 + entry = create_proc_entry("ioports", S_IRUSR, NULL);
21512 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
21513 + entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
21516 entry = create_proc_entry("ioports", 0, NULL);
21519 entry->proc_fops = &proc_ioports_operations;
21521 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
21522 +#ifdef CONFIG_GRKERNSEC_PROC_USER
21523 + entry = create_proc_entry("iomem", S_IRUSR, NULL);
21524 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
21525 + entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
21528 entry = create_proc_entry("iomem", 0, NULL);
21531 entry->proc_fops = &proc_iomem_operations;
21533 diff -urNp linux-2.6.16.12/kernel/sched.c linux-2.6.16.12/kernel/sched.c
21534 --- linux-2.6.16.12/kernel/sched.c 2006-05-01 15:14:26.000000000 -0400
21535 +++ linux-2.6.16.12/kernel/sched.c 2006-05-01 20:17:34.000000000 -0400
21537 #include <linux/syscalls.h>
21538 #include <linux/times.h>
21539 #include <linux/acct.h>
21540 +#include <linux/grsecurity.h>
21541 #include <asm/tlb.h>
21543 #include <asm/unistd.h>
21544 @@ -3613,7 +3614,8 @@ asmlinkage long sys_nice(int increment)
21548 - if (increment < 0 && !can_nice(current, nice))
21549 + if (increment < 0 && (!can_nice(current, nice) ||
21550 + gr_handle_chroot_nice()))
21551 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
21553 retval = security_task_setnice(current, nice);
21554 diff -urNp linux-2.6.16.12/kernel/signal.c linux-2.6.16.12/kernel/signal.c
21555 --- linux-2.6.16.12/kernel/signal.c 2006-05-01 15:14:26.000000000 -0400
21556 +++ linux-2.6.16.12/kernel/signal.c 2006-05-01 20:17:34.000000000 -0400
21558 #include <linux/audit.h>
21559 #include <linux/capability.h>
21560 #include <linux/vs_pid.h>
21561 +#include <linux/grsecurity.h>
21562 #include <asm/param.h>
21563 #include <asm/uaccess.h>
21564 #include <asm/unistd.h>
21565 @@ -381,6 +382,7 @@ void __exit_signal(struct task_struct *t
21567 if (tsk == sig->curr_target)
21568 sig->curr_target = next_thread(tsk);
21569 + gr_del_task_from_ip_table(tsk);
21570 tsk->signal = NULL;
21572 * Accumulate here the counters for all threads but the
21573 @@ -687,11 +689,11 @@ static int check_kill_permission(int sig
21574 (!is_si_special(info) && SI_FROMUSER(info)));
21577 - if (user && ((sig != SIGCONT) ||
21578 + if (user && ((((sig != SIGCONT) ||
21579 (current->signal->session != t->signal->session))
21580 && (current->euid ^ t->suid) && (current->euid ^ t->uid)
21581 && (current->uid ^ t->suid) && (current->uid ^ t->uid)
21582 - && !capable(CAP_KILL))
21583 + && !capable(CAP_KILL)) || gr_handle_signal(t, sig)))
21587 @@ -699,8 +701,10 @@ static int check_kill_permission(int sig
21590 error = security_task_kill(t, info, sig);
21593 audit_signal_info(sig, t); /* Let audit system see the signal */
21594 + gr_log_signal(sig, t);
21599 @@ -880,7 +884,7 @@ out_set:
21600 (((sig) < SIGRTMIN) && sigismember(&(sigptr)->signal, (sig)))
21605 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
21608 @@ -926,6 +930,10 @@ force_sig_info(int sig, struct siginfo *
21610 recalc_sigpending_tsk(t);
21611 ret = specific_send_sig_info(sig, info, t);
21613 + gr_log_signal(sig, t);
21614 + gr_handle_crash(t, sig);
21616 spin_unlock_irqrestore(&t->sighand->siglock, flags);
21619 diff -urNp linux-2.6.16.12/kernel/sys.c linux-2.6.16.12/kernel/sys.c
21620 --- linux-2.6.16.12/kernel/sys.c 2006-05-01 15:14:26.000000000 -0400
21621 +++ linux-2.6.16.12/kernel/sys.c 2006-05-01 20:17:34.000000000 -0400
21623 #include <linux/cn_proc.h>
21624 #include <linux/vs_cvirt.h>
21625 #include <linux/vs_pid.h>
21626 +#include <linux/grsecurity.h>
21628 #include <linux/compat.h>
21629 #include <linux/syscalls.h>
21630 @@ -228,18 +229,37 @@ int unregister_reboot_notifier(struct no
21631 EXPORT_SYMBOL(unregister_reboot_notifier);
21633 #ifndef CONFIG_SECURITY
21634 +extern int gr_task_is_capable(struct task_struct *task, const int cap);
21635 +extern int gr_is_capable_nolog(const int cap);
21636 int capable(int cap)
21638 if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
21640 - if (vx_cap_raised(current->vx_info, current->cap_effective, cap)) {
21641 + if (vx_cap_raised(current->vx_info, current->cap_effective, cap)
21642 + && gr_task_is_capable(current, cap)) {
21643 current->flags |= PF_SUPERPRIV;
21648 +int capable_nolog(int cap)
21650 + if (vx_cap_raised(current->vx_info, current->cap_effective, cap)
21651 + && gr_is_capable_nolog(cap)) {
21652 + current->flags |= PF_SUPERPRIV;
21657 EXPORT_SYMBOL(capable);
21659 +int capable_nolog(int cap)
21661 + return capable(cap);
21665 +EXPORT_SYMBOL(capable_nolog);
21667 static int set_one_prio(struct task_struct *p, int niceval, int error)
21669 @@ -257,6 +277,12 @@ static int set_one_prio(struct task_stru
21674 + if (gr_handle_chroot_setpriority(p, niceval)) {
21679 no_nice = security_task_setnice(p, niceval);
21682 @@ -654,6 +680,9 @@ asmlinkage long sys_setregid(gid_t rgid,
21683 if (rgid != (gid_t) -1 ||
21684 (egid != (gid_t) -1 && egid != old_rgid))
21685 current->sgid = new_egid;
21687 + gr_set_role_label(current, current->uid, new_rgid);
21689 current->fsgid = new_egid;
21690 current->egid = new_egid;
21691 current->gid = new_rgid;
21692 @@ -683,6 +712,9 @@ asmlinkage long sys_setgid(gid_t gid)
21693 current->mm->dumpable = suid_dumpable;
21697 + gr_set_role_label(current, current->uid, gid);
21699 current->gid = current->egid = current->sgid = current->fsgid = gid;
21701 else if ((gid == current->gid) || (gid == current->sgid))
21702 @@ -724,6 +756,9 @@ static int set_user(uid_t new_ruid, int
21703 current->mm->dumpable = suid_dumpable;
21707 + gr_set_role_label(current, new_ruid, current->gid);
21709 current->uid = new_ruid;
21712 @@ -827,6 +862,9 @@ asmlinkage long sys_setuid(uid_t uid)
21713 } else if ((uid != current->uid) && (uid != new_suid))
21716 + if (gr_check_crash_uid(uid))
21719 if (old_euid != uid)
21721 current->mm->dumpable = suid_dumpable;
21722 @@ -932,8 +970,10 @@ asmlinkage long sys_setresgid(gid_t rgid
21723 current->egid = egid;
21725 current->fsgid = current->egid;
21726 - if (rgid != (gid_t) -1)
21727 + if (rgid != (gid_t) -1) {
21728 + gr_set_role_label(current, current->uid, rgid);
21729 current->gid = rgid;
21731 if (sgid != (gid_t) -1)
21732 current->sgid = sgid;
21734 diff -urNp linux-2.6.16.12/kernel/sysctl.c linux-2.6.16.12/kernel/sysctl.c
21735 --- linux-2.6.16.12/kernel/sysctl.c 2006-05-01 15:14:26.000000000 -0400
21736 +++ linux-2.6.16.12/kernel/sysctl.c 2006-05-01 20:17:34.000000000 -0400
21737 @@ -55,6 +55,14 @@ extern int proc_nr_files(ctl_table *tabl
21738 void __user *buffer, size_t *lenp, loff_t *ppos);
21740 #if defined(CONFIG_SYSCTL)
21741 +#include <linux/grsecurity.h>
21742 +#include <linux/grinternal.h>
21744 +extern __u32 gr_handle_sysctl(const ctl_table *table, const void *oldval,
21745 + const void *newval);
21746 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
21748 +extern int gr_handle_chroot_sysctl(const int op);
21750 /* External variables not in a header file. */
21752 @@ -162,6 +170,22 @@ extern ctl_table inotify_table[];
21753 #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
21754 int sysctl_legacy_va_layout;
21756 +extern ctl_table grsecurity_table[];
21758 +#ifdef CONFIG_PAX_SOFTMODE
21759 +static ctl_table pax_table[] = {
21761 + .ctl_name = PAX_SOFTMODE,
21762 + .procname = "softmode",
21763 + .data = &pax_softmode,
21764 + .maxlen = sizeof(unsigned int),
21766 + .proc_handler = &proc_dointvec,
21769 + { .ctl_name = 0 }
21773 /* /proc declarations: */
21775 @@ -713,6 +737,25 @@ static ctl_table kern_table[] = {
21776 .proc_handler = &proc_dointvec,
21780 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
21782 + .ctl_name = KERN_GRSECURITY,
21783 + .procname = "grsecurity",
21785 + .child = grsecurity_table,
21789 +#ifdef CONFIG_PAX_SOFTMODE
21791 + .ctl_name = KERN_PAX,
21792 + .procname = "pax",
21794 + .child = pax_table,
21801 @@ -1211,6 +1254,10 @@ static int test_perm(int mode, int op)
21802 static inline int ctl_perm(ctl_table *table, int op)
21805 + if (table->de && gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op))
21807 + if (gr_handle_chroot_sysctl(op))
21809 error = security_sysctl(table, op);
21812 @@ -1247,6 +1234,10 @@ repeat:
21813 table = table->child;
21817 + if (!gr_handle_sysctl(table, oldval, newval))
21820 error = do_sysctl_strategy(table, name, nlen,
21822 newval, newlen, context);
21823 diff -urNp linux-2.6.16.12/kernel/time.c linux-2.6.16.12/kernel/time.c
21824 --- linux-2.6.16.12/kernel/time.c 2006-05-01 15:14:26.000000000 -0400
21825 +++ linux-2.6.16.12/kernel/time.c 2006-05-01 20:17:34.000000000 -0400
21827 #include <linux/security.h>
21828 #include <linux/fs.h>
21829 #include <linux/module.h>
21830 +#include <linux/grsecurity.h>
21832 #include <asm/uaccess.h>
21833 #include <asm/unistd.h>
21834 @@ -93,6 +94,9 @@ asmlinkage long sys_stime(time_t __user
21837 vx_settimeofday(&tv);
21839 + gr_log_timechange();
21844 @@ -199,6 +203,8 @@ asmlinkage long sys_settimeofday(struct
21848 + gr_log_timechange();
21850 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
21853 diff -urNp linux-2.6.16.12/Makefile linux-2.6.16.12/Makefile
21854 --- linux-2.6.16.12/Makefile 2006-05-01 15:14:26.000000000 -0400
21855 +++ linux-2.6.16.12/Makefile 2006-05-01 20:17:34.000000000 -0400
21856 @@ -556,7 +556,7 @@ export MODLIB
21859 ifeq ($(KBUILD_EXTMOD),)
21860 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
21861 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
21863 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
21864 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
21865 diff -urNp linux-2.6.16.12/mm/filemap.c linux-2.6.16.12/mm/filemap.c
21866 --- linux-2.6.16.12/mm/filemap.c 2006-05-01 15:14:26.000000000 -0400
21867 +++ linux-2.6.16.12/mm/filemap.c 2006-05-01 20:17:34.000000000 -0400
21869 #include <linux/blkdev.h>
21870 #include <linux/security.h>
21871 #include <linux/syscalls.h>
21872 +#include <linux/grsecurity.h>
21873 #include "filemap.h"
21875 * FIXME: remove all knowledge of the buffer layer from the core VM
21876 @@ -1617,7 +1618,13 @@ int generic_file_mmap(struct file * file
21877 struct address_space *mapping = file->f_mapping;
21879 if (!mapping->a_ops->readpage)
21883 +#ifdef CONFIG_PAX_PAGEEXEC
21884 + if (vma->vm_mm->pax_flags & MF_PAX_PAGEEXEC)
21885 + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
21888 file_accessed(file);
21889 vma->vm_ops = &generic_file_vm_ops;
21891 @@ -1852,6 +1859,7 @@ inline int generic_write_checks(struct f
21892 *pos = i_size_read(inode);
21894 if (limit != RLIM_INFINITY) {
21895 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
21896 if (*pos >= limit) {
21897 send_sig(SIGXFSZ, current, 0);
21899 diff -urNp linux-2.6.16.12/mm/madvise.c linux-2.6.16.12/mm/madvise.c
21900 --- linux-2.6.16.12/mm/madvise.c 2006-05-01 15:14:26.000000000 -0400
21901 +++ linux-2.6.16.12/mm/madvise.c 2006-05-01 20:17:34.000000000 -0400
21903 * We can potentially split a vm area into separate
21904 * areas, each area with its own behavior.
21907 +#ifdef CONFIG_PAX_SEGMEXEC
21908 +static long __madvise_behavior(struct vm_area_struct * vma,
21909 + struct vm_area_struct **prev,
21910 + unsigned long start, unsigned long end, int behavior);
21912 +static long madvise_behavior(struct vm_area_struct * vma,
21913 + struct vm_area_struct **prev,
21914 + unsigned long start, unsigned long end, int behavior)
21916 + if (vma->vm_flags & VM_MIRROR) {
21917 + struct vm_area_struct * vma_m, * prev_m;
21918 + unsigned long start_m, end_m;
21921 + start_m = vma->vm_start + vma->vm_mirror;
21922 + vma_m = find_vma_prev(vma->vm_mm, start_m, &prev_m);
21923 + if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) {
21924 + start_m = start + vma->vm_mirror;
21925 + end_m = end + vma->vm_mirror;
21926 + error = __madvise_behavior(vma_m, &prev_m, start_m, end_m, behavior);
21930 + printk("PAX: VMMIRROR: madvise bug in %s, %08lx\n", current->comm, vma->vm_start);
21935 + return __madvise_behavior(vma, prev, start, end, behavior);
21938 +static long __madvise_behavior(struct vm_area_struct * vma,
21939 + struct vm_area_struct **prev,
21940 + unsigned long start, unsigned long end, int behavior)
21942 static long madvise_behavior(struct vm_area_struct * vma,
21943 struct vm_area_struct **prev,
21944 unsigned long start, unsigned long end, int behavior)
21947 struct mm_struct * mm = vma->vm_mm;
21949 diff -urNp linux-2.6.16.12/mm/memory.c linux-2.6.16.12/mm/memory.c
21950 --- linux-2.6.16.12/mm/memory.c 2006-05-01 15:14:26.000000000 -0400
21951 +++ linux-2.6.16.12/mm/memory.c 2006-05-01 20:17:34.000000000 -0400
21953 #include <linux/rmap.h>
21954 #include <linux/module.h>
21955 #include <linux/init.h>
21956 +#include <linux/grsecurity.h>
21958 #include <asm/pgalloc.h>
21959 #include <asm/uaccess.h>
21960 @@ -321,6 +322,11 @@ int __pte_alloc(struct mm_struct *mm, pm
21962 int __pte_alloc_kernel(pmd_t *pmd, unsigned long address)
21965 +#ifdef CONFIG_PAX_KERNEXEC
21966 + unsigned long cr0;
21969 pte_t *new = pte_alloc_one_kernel(&init_mm, address);
21972 @@ -328,8 +334,19 @@ int __pte_alloc_kernel(pmd_t *pmd, unsig
21973 spin_lock(&init_mm.page_table_lock);
21974 if (pmd_present(*pmd)) /* Another has populated it */
21975 pte_free_kernel(new);
21979 +#ifdef CONFIG_PAX_KERNEXEC
21980 + pax_open_kernel(cr0);
21983 pmd_populate_kernel(&init_mm, pmd, new);
21985 +#ifdef CONFIG_PAX_KERNEXEC
21986 + pax_close_kernel(cr0);
21990 spin_unlock(&init_mm.page_table_lock);
21993 @@ -1434,6 +1451,88 @@ static inline void cow_user_page(struct
21994 copy_user_highpage(dst, src, va);
21997 +#ifdef CONFIG_PAX_SEGMEXEC
21998 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
22000 + * the ptl of the lower mapped page is held on entry and is not released on exit
22001 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
22003 +static void pax_mirror_fault(struct vm_area_struct *vma, unsigned long address, pte_t *pte)
22005 + struct mm_struct *mm = vma->vm_mm;
22006 + unsigned long address_m, pfn_m;
22007 + struct vm_area_struct * vma_m = NULL;
22008 + pte_t * pte_m, entry_m;
22009 + struct page * page_m = NULL;
22011 + address_m = vma->vm_start + vma->vm_mirror;
22012 + vma_m = find_vma(mm, address_m);
22013 + BUG_ON(!vma_m || vma_m->vm_start != address_m);
22015 + address_m = address + vma->vm_mirror;
22016 + pte_m = pte_offset_map_nested(pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m), address_m);
22018 + if (pte_same(*pte, *pte_m)) {
22019 + pte_unmap_nested(pte_m);
22023 + if (pte_present(*pte_m)) {
22024 + page_m = vm_normal_page(vma_m, address_m, *pte_m);
22026 + flush_cache_page(vma_m, address_m, pfn_m);
22027 + flush_icache_page(vma_m, page_m);
22031 + if (pte_present(*pte_m))
22032 + entry_m = ptep_clear_flush(vma_m, address_m, pte_m);
22034 + entry_m = ptep_get_and_clear(mm, address_m, pte_m);
22036 + if (pte_none(entry_m)) {
22037 + } else if (pte_present(entry_m)) {
22039 + page_remove_rmap(page_m);
22040 + if (PageAnon(page_m))
22041 + dec_mm_counter(mm, anon_rss);
22043 + dec_mm_counter(mm, file_rss);
22044 + page_cache_release(page_m);
22046 + } else if (!pte_file(entry_m)) {
22047 + free_swap_and_cache(pte_to_swp_entry(entry_m));
22049 + printk(KERN_ERR "PAX: VMMIRROR: bug in mirror_fault: %08lx, %08lx, %08lx, %08lx\n",
22050 + address, vma->vm_start, address_m, vma_m->vm_start);
22053 + pfn_m = pte_pfn(*pte);
22054 + page_m = vm_normal_page(vma, address, *pte);
22055 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
22056 + if (pte_write(*pte))
22057 + entry_m = maybe_mkwrite(pte_mkdirty(entry_m), vma_m);
22059 + page_cache_get(page_m);
22061 + * we can test PAGE_MAPPING_ANON without holding page_map_lock because
22062 + * we hold the page table lock and have a reference to page_m
22064 + if (PageAnon(page_m)) {
22065 + page_add_anon_rmap(page_m, vma_m, address_m);
22066 + inc_mm_counter(mm, anon_rss);
22068 + page_add_file_rmap(page_m);
22069 + inc_mm_counter(mm, file_rss);
22072 + set_pte_at(mm, address_m, pte_m, entry_m);
22073 + update_mmu_cache(vma_m, address_m, entry_m);
22074 + lazy_mmu_prot_update(entry_m);
22075 + pte_unmap_nested(pte_m);
22080 * This routine handles present pages, when users try to write
22081 * to a shared page. It is done by copying the page to a new address
22082 @@ -1524,6 +1623,12 @@ gotten:
22083 /* Free the old page.. */
22084 new_page = old_page;
22085 ret |= VM_FAULT_WRITE;
22087 +#ifdef CONFIG_PAX_SEGMEXEC
22088 + if (vma->vm_flags & VM_MIRROR)
22089 + pax_mirror_fault(vma, address, page_table);
22094 page_cache_release(new_page);
22095 @@ -1774,6 +1879,7 @@ int vmtruncate(struct inode * inode, lof
22098 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
22099 + gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
22100 if (limit != RLIM_INFINITY && offset > limit)
22102 if (offset > inode->i_sb->s_maxbytes)
22103 @@ -1967,6 +2073,12 @@ again:
22104 /* No need to invalidate - it was non-present before */
22105 update_mmu_cache(vma, address, pte);
22106 lazy_mmu_prot_update(pte);
22108 +#ifdef CONFIG_PAX_SEGMEXEC
22109 + if (vma->vm_flags & VM_MIRROR)
22110 + pax_mirror_fault(vma, address, page_table);
22114 pte_unmap_unlock(page_table, ptl);
22116 @@ -2031,6 +2143,12 @@ static int do_anonymous_page(struct mm_s
22117 /* No need to invalidate - it was non-present before */
22118 update_mmu_cache(vma, address, entry);
22119 lazy_mmu_prot_update(entry);
22121 +#ifdef CONFIG_PAX_SEGMEXEC
22122 + if (vma->vm_flags & VM_MIRROR)
22123 + pax_mirror_fault(vma, address, page_table);
22127 pte_unmap_unlock(page_table, ptl);
22128 return VM_FAULT_MINOR;
22129 @@ -2159,6 +2277,12 @@ retry:
22130 /* no need to invalidate: a not-present page shouldn't be cached */
22131 update_mmu_cache(vma, address, entry);
22132 lazy_mmu_prot_update(entry);
22134 +#ifdef CONFIG_PAX_SEGMEXEC
22135 + if (vma->vm_flags & VM_MIRROR)
22136 + pax_mirror_fault(vma, address, page_table);
22140 pte_unmap_unlock(page_table, ptl);
22142 @@ -2282,6 +2406,12 @@ static inline int handle_pte_fault(struc
22143 flush_tlb_page(vma, address);
22147 +#ifdef CONFIG_PAX_SEGMEXEC
22148 + if (vma->vm_flags & VM_MIRROR)
22149 + pax_mirror_fault(vma, address, pte);
22152 pte_unmap_unlock(pte, ptl);
22153 ret = VM_FAULT_MINOR;
22155 @@ -2307,6 +2437,49 @@ int __handle_mm_fault(struct mm_struct *
22156 if (unlikely(is_vm_hugetlb_page(vma)))
22157 return hugetlb_fault(mm, vma, address, write_access);
22159 +#ifdef CONFIG_PAX_SEGMEXEC
22160 + if (vma->vm_flags & VM_MIRROR) {
22161 + unsigned long address_m;
22162 + struct vm_area_struct * vma_m;
22167 + address_m = vma->vm_start + vma->vm_mirror;
22168 + vma_m = find_vma(mm, address_m);
22170 + /* PaX: sanity checks */
22172 + printk(KERN_ERR "PAX: VMMIRROR: fault bug, %08lx, %p, %08lx, %p\n",
22173 + address, vma, address_m, vma_m);
22174 + return VM_FAULT_SIGBUS;
22175 + } else if (!(vma_m->vm_flags & VM_MIRROR) ||
22176 + vma_m->vm_start != address_m ||
22177 + vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start)
22179 + printk(KERN_ERR "PAX: VMMIRROR: fault bug2, %08lx, %08lx, %08lx, %08lx, %08lx\n",
22180 + address, vma->vm_start, vma_m->vm_start, vma->vm_end, vma_m->vm_end);
22181 + return VM_FAULT_SIGBUS;
22184 + if (address_m < address) {
22185 + address += vma->vm_mirror;
22189 + address_m = address + vma->vm_mirror;
22190 + pgd_m = pgd_offset(mm, address_m);
22191 + pud_m = pud_alloc(mm, pgd_m, address_m);
22193 + return VM_FAULT_OOM;
22194 + pmd_m = pmd_alloc(mm, pud_m, address_m);
22196 + return VM_FAULT_OOM;
22197 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
22198 + return VM_FAULT_OOM;
22202 pgd = pgd_offset(mm, address);
22203 pud = pud_alloc(mm, pgd, address);
22205 diff -urNp linux-2.6.16.12/mm/mempolicy.c linux-2.6.16.12/mm/mempolicy.c
22206 --- linux-2.6.16.12/mm/mempolicy.c 2006-05-01 15:14:26.000000000 -0400
22207 +++ linux-2.6.16.12/mm/mempolicy.c 2006-05-01 20:17:34.000000000 -0400
22208 @@ -356,6 +356,12 @@ check_range(struct mm_struct *mm, unsign
22209 if (prev && prev->vm_end < vma->vm_start)
22210 return ERR_PTR(-EFAULT);
22213 +#ifdef CONFIG_PAX_SEGMEXEC
22214 + if (vma->vm_flags & VM_MIRROR)
22215 + return ERR_PTR(-EFAULT);
22218 if (!is_vm_hugetlb_page(vma) &&
22219 ((flags & MPOL_MF_STRICT) ||
22220 ((flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) &&
22221 diff -urNp linux-2.6.16.12/mm/mlock.c linux-2.6.16.12/mm/mlock.c
22222 --- linux-2.6.16.12/mm/mlock.c 2006-05-01 15:14:26.000000000 -0400
22223 +++ linux-2.6.16.12/mm/mlock.c 2006-05-01 20:17:34.000000000 -0400
22224 @@ -11,14 +11,85 @@
22225 #include <linux/mempolicy.h>
22226 #include <linux/syscalls.h>
22227 #include <linux/vs_memory.h>
22228 +#include <linux/grsecurity.h>
22230 +static int __mlock_fixup(struct vm_area_struct *vma, struct vm_area_struct **prev,
22231 + unsigned long start, unsigned long end, unsigned int newflags);
22233 static int mlock_fixup(struct vm_area_struct *vma, struct vm_area_struct **prev,
22234 unsigned long start, unsigned long end, unsigned int newflags)
22236 struct mm_struct * mm = vma->vm_mm;
22241 +#ifdef CONFIG_PAX_SEGMEXEC
22242 + struct vm_area_struct * vma_m = NULL, *prev_m;
22243 + unsigned long start_m = 0UL, end_m = 0UL, newflags_m = 0UL;
22245 + if (vma->vm_flags & VM_MIRROR) {
22246 + start_m = vma->vm_start + vma->vm_mirror;
22247 + vma_m = find_vma_prev(mm, start_m, &prev_m);
22248 + if (!vma_m || vma_m->vm_start != start_m || !(vma_m->vm_flags & VM_MIRROR)) {
22249 + printk("PAX: VMMIRROR: mlock bug in %s, %08lx\n", current->comm, vma->vm_start);
22253 + start_m = start + vma->vm_mirror;
22254 + end_m = end + vma->vm_mirror;
22255 + if (newflags & VM_LOCKED)
22256 + newflags_m = vma_m->vm_flags | VM_LOCKED;
22258 + newflags_m = vma_m->vm_flags & ~VM_LOCKED;
22259 + ret = __mlock_fixup(vma_m, &prev_m, start_m, end_m, newflags_m);
22265 + ret = __mlock_fixup(vma, prev, start, end, newflags);
22270 + * vm_flags is protected by the mmap_sem held in write mode.
22271 + * It's okay if try_to_unmap_one unmaps a page just after we
22272 + * set VM_LOCKED, make_pages_present below will bring it back.
22274 + vma->vm_flags = newflags;
22276 +#ifdef CONFIG_PAX_SEGMEXEC
22277 + if (vma->vm_flags & VM_MIRROR)
22278 + vma_m->vm_flags = newflags_m;
22282 + * Keep track of amount of locked VM.
22284 + pages = (end - start) >> PAGE_SHIFT;
22285 + if (newflags & VM_LOCKED) {
22287 + if (!(newflags & VM_IO))
22288 + ret = make_pages_present(start, end);
22291 + mm->locked_vm -= pages;
22293 +#ifdef CONFIG_PAX_SEGMEXEC
22294 + if (vma->vm_flags & VM_MIRROR)
22295 + mm->locked_vm -= pages;
22298 + if (ret == -ENOMEM)
22303 +static int __mlock_fixup(struct vm_area_struct *vma, struct vm_area_struct **prev,
22304 + unsigned long start, unsigned long end, unsigned int newflags)
22306 + struct mm_struct * mm = vma->vm_mm;
22310 if (newflags == vma->vm_flags) {
22311 @@ -31,7 +102,7 @@ static int mlock_fixup(struct vm_area_st
22312 vma->vm_file, pgoff, vma_policy(vma));
22320 @@ -42,31 +113,9 @@ static int mlock_fixup(struct vm_area_st
22324 - if (end != vma->vm_end) {
22325 + if (end != vma->vm_end)
22326 ret = split_vma(mm, vma, end, 0);
22333 - * vm_flags is protected by the mmap_sem held in write mode.
22334 - * It's okay if try_to_unmap_one unmaps a page just after we
22335 - * set VM_LOCKED, make_pages_present below will bring it back.
22337 - vma->vm_flags = newflags;
22340 - * Keep track of amount of locked VM.
22342 - pages = (end - start) >> PAGE_SHIFT;
22343 - if (newflags & VM_LOCKED) {
22345 - if (!(newflags & VM_IO))
22346 - ret = make_pages_present(start, end);
22349 - vx_vmlocked_sub(vma->vm_mm, pages);
22351 if (ret == -ENOMEM)
22353 @@ -85,6 +134,17 @@ static int do_mlock(unsigned long start,
22358 +#ifdef CONFIG_PAX_SEGMEXEC
22359 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
22360 + if (end > SEGMEXEC_TASK_SIZE)
22365 + if (end > TASK_SIZE)
22368 vma = find_vma_prev(current->mm, start, &prev);
22369 if (!vma || vma->vm_start > start)
22371 @@ -144,6 +204,7 @@ asmlinkage long sys_mlock(unsigned long
22372 lock_limit >>= PAGE_SHIFT;
22374 /* check against resource limits */
22375 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
22376 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
22377 error = do_mlock(start, len, 1);
22379 @@ -177,6 +238,16 @@ static int do_mlockall(int flags)
22380 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
22381 unsigned int newflags;
22383 +#ifdef CONFIG_PAX_SEGMEXEC
22384 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
22385 + if (vma->vm_end > SEGMEXEC_TASK_SIZE)
22390 + if (vma->vm_end > TASK_SIZE)
22393 newflags = vma->vm_flags | VM_LOCKED;
22394 if (!(flags & MCL_CURRENT))
22395 newflags &= ~VM_LOCKED;
22396 @@ -208,6 +279,7 @@ asmlinkage long sys_mlockall(int flags)
22398 if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
22400 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
22401 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
22402 capable(CAP_IPC_LOCK))
22403 ret = do_mlockall(flags);
22404 diff -urNp linux-2.6.16.12/mm/mmap.c linux-2.6.16.12/mm/mmap.c
22405 --- linux-2.6.16.12/mm/mmap.c 2006-05-01 15:14:26.000000000 -0400
22406 +++ linux-2.6.16.12/mm/mmap.c 2006-05-01 20:17:34.000000000 -0400
22408 #include <linux/mount.h>
22409 #include <linux/mempolicy.h>
22410 #include <linux/rmap.h>
22411 +#include <linux/grsecurity.h>
22413 #include <asm/uaccess.h>
22414 #include <asm/cacheflush.h>
22415 @@ -60,6 +61,8 @@ pgprot_t protection_map[16] = {
22416 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
22419 +EXPORT_SYMBOL(protection_map);
22421 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
22422 int sysctl_overcommit_ratio = 50; /* default is 50% */
22423 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
22424 @@ -234,6 +237,7 @@ asmlinkage unsigned long sys_brk(unsigne
22426 /* Check against rlimit.. */
22427 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
22428 + gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
22429 if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
22432 @@ -612,11 +616,17 @@ again: remove_next = 1 + (end > next->
22433 * If the vma has a ->close operation then the driver probably needs to release
22434 * per-vma resources, so we don't attempt to merge those.
22436 +#ifdef CONFIG_PAX_SEGMEXEC
22437 +#define VM_SPECIAL (VM_IO | VM_DONTCOPY | VM_DONTEXPAND | VM_RESERVED | VM_PFNMAP | VM_MIRROR)
22439 #define VM_SPECIAL (VM_IO | VM_DONTCOPY | VM_DONTEXPAND | VM_RESERVED | VM_PFNMAP)
22442 static inline int is_mergeable_vma(struct vm_area_struct *vma,
22443 struct file *file, unsigned long vm_flags)
22445 + if ((vma->vm_flags | vm_flags) & VM_SPECIAL)
22447 if (vma->vm_flags != vm_flags)
22449 if (vma->vm_file != file)
22450 @@ -842,9 +852,6 @@ none:
22451 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
22452 struct file *file, long pages)
22454 - const unsigned long stack_flags
22455 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
22457 #ifdef CONFIG_HUGETLB
22458 if (flags & VM_HUGETLB) {
22459 if (!(flags & VM_DONTCOPY))
22460 @@ -857,7 +864,7 @@ void vm_stat_account(struct mm_struct *m
22461 mm->shared_vm += pages;
22462 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
22463 mm->exec_vm += pages;
22464 - } else if (flags & stack_flags)
22465 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
22466 mm->stack_vm += pages;
22467 if (flags & (VM_RESERVED|VM_IO))
22468 mm->reserved_vm += pages;
22469 @@ -868,10 +875,55 @@ void vm_stat_account(struct mm_struct *m
22470 * The caller must hold down_write(current->mm->mmap_sem).
22473 +#ifdef CONFIG_PAX_SEGMEXEC
22474 +static unsigned long __do_mmap_pgoff(struct file * file, unsigned long addr,
22475 + unsigned long len, unsigned long prot,
22476 + unsigned long flags, unsigned long pgoff);
22478 unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
22479 unsigned long len, unsigned long prot,
22480 unsigned long flags, unsigned long pgoff)
22482 + unsigned long ret = -EINVAL;
22484 + if (flags & MAP_MIRROR)
22487 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) &&
22488 + (len > SEGMEXEC_TASK_SIZE || (addr > SEGMEXEC_TASK_SIZE-len)))
22491 + ret = __do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
22493 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && ret < TASK_SIZE && ((flags & MAP_TYPE) == MAP_PRIVATE)
22495 +#ifdef CONFIG_PAX_MPROTECT
22496 + && (!(current->mm->pax_flags & MF_PAX_MPROTECT) || ((prot & PROT_EXEC) && file && !(prot & PROT_WRITE)))
22501 + unsigned long ret_m;
22502 + prot = prot & PROT_EXEC ? prot & ~PROT_WRITE : PROT_NONE;
22503 + ret_m = __do_mmap_pgoff(NULL, ret + SEGMEXEC_TASK_SIZE, 0UL, prot, flags | MAP_MIRROR | MAP_FIXED, ret);
22504 + if (ret_m >= TASK_SIZE) {
22505 + do_munmap(current->mm, ret, len);
22513 +static unsigned long __do_mmap_pgoff(struct file * file, unsigned long addr,
22514 + unsigned long len, unsigned long prot,
22515 + unsigned long flags, unsigned long pgoff)
22517 +unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
22518 + unsigned long len, unsigned long prot,
22519 + unsigned long flags, unsigned long pgoff)
22522 struct mm_struct * mm = current->mm;
22523 struct vm_area_struct * vma, * prev;
22524 struct inode *inode;
22525 @@ -882,6 +934,28 @@ unsigned long do_mmap_pgoff(struct file
22526 int accountable = 1;
22527 unsigned long charged = 0, reqprot = prot;
22529 +#ifdef CONFIG_PAX_SEGMEXEC
22530 + struct vm_area_struct * vma_m = NULL;
22532 + if (flags & MAP_MIRROR) {
22533 + /* PaX: sanity checks, to be removed when proved to be stable */
22534 + if (file || len || ((flags & MAP_TYPE) != MAP_PRIVATE))
22537 + vma_m = find_vma(mm, pgoff);
22539 + if (!vma_m || is_vm_hugetlb_page(vma_m) ||
22540 + vma_m->vm_start != pgoff ||
22541 + (vma_m->vm_flags & VM_SPECIAL) ||
22542 + (prot & PROT_WRITE))
22545 + file = vma_m->vm_file;
22546 + pgoff = vma_m->vm_pgoff;
22547 + len = vma_m->vm_end - vma_m->vm_start;
22552 if (is_file_hugepages(file))
22554 @@ -922,7 +996,7 @@ unsigned long do_mmap_pgoff(struct file
22555 /* Obtain the address to map to. we verify (or select) it and ensure
22556 * that it represents a valid section of the address space.
22558 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
22559 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
22560 if (addr & ~PAGE_MASK)
22563 @@ -933,6 +1007,24 @@ unsigned long do_mmap_pgoff(struct file
22564 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
22565 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
22567 + if (file && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC))
22568 + vm_flags &= ~VM_MAYEXEC;
22570 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22571 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22573 +#ifdef CONFIG_PAX_MPROTECT
22574 + if (mm->pax_flags & MF_PAX_MPROTECT) {
22575 + if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
22576 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
22578 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
22585 if (flags & MAP_LOCKED) {
22586 if (!can_do_mlock())
22588 @@ -945,6 +1037,7 @@ unsigned long do_mmap_pgoff(struct file
22589 locked += mm->locked_vm;
22590 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
22591 lock_limit >>= PAGE_SHIFT;
22592 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
22593 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
22596 @@ -992,6 +1085,11 @@ unsigned long do_mmap_pgoff(struct file
22598 * Set pgoff according to addr for anon_vma.
22601 +#ifdef CONFIG_PAX_SEGMEXEC
22602 + if (!(flags & MAP_MIRROR))
22605 pgoff = addr >> PAGE_SHIFT;
22608 @@ -1003,14 +1101,17 @@ unsigned long do_mmap_pgoff(struct file
22612 + if (!gr_acl_handle_mmap(file, prot))
22615 /* Clear old maps */
22618 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
22619 if (vma && vma->vm_start < addr + len) {
22620 if (do_munmap(mm, addr, len))
22622 - goto munmap_back;
22623 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
22624 + BUG_ON(vma && vma->vm_start < addr + len);
22627 /* Check against address space limit. */
22628 @@ -1059,6 +1160,13 @@ munmap_back:
22629 vma->vm_start = addr;
22630 vma->vm_end = addr + len;
22631 vma->vm_flags = vm_flags;
22633 +#ifdef CONFIG_PAX_PAGEEXEC
22634 + if ((file || !(mm->pax_flags & MF_PAX_PAGEEXEC)) && (vm_flags & (VM_READ|VM_WRITE)))
22635 + vma->vm_page_prot = protection_map[(vm_flags | VM_EXEC) & 0x0f];
22639 vma->vm_page_prot = protection_map[vm_flags & 0x0f];
22640 vma->vm_pgoff = pgoff;
22642 @@ -1083,6 +1191,14 @@ munmap_back:
22646 +#ifdef CONFIG_PAX_SEGMEXEC
22647 + if (flags & MAP_MIRROR) {
22648 + vma_m->vm_flags |= VM_MIRROR;
22649 + vma_m->vm_mirror = vma->vm_start - vma_m->vm_start;
22650 + vma->vm_mirror = vma_m->vm_start - vma->vm_start;
22654 /* We set VM_ACCOUNT in a shared mapping's vm_flags, to inform
22655 * shmem_zero_setup (perhaps called through /dev/zero's ->mmap)
22656 * that memory reservation must be checked; but that reservation
22657 @@ -1118,6 +1234,7 @@ munmap_back:
22659 vx_vmpages_add(mm, len >> PAGE_SHIFT);
22660 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
22661 + track_exec_limit(mm, addr, addr + len, vm_flags);
22662 if (vm_flags & VM_LOCKED) {
22663 vx_vmlocked_add(mm, len >> PAGE_SHIFT);
22664 make_pages_present(addr, addr + len);
22665 @@ -1172,6 +1289,10 @@ arch_get_unmapped_area(struct file *filp
22666 if (len > TASK_SIZE)
22669 +#ifdef CONFIG_PAX_RANDMMAP
22670 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
22674 addr = PAGE_ALIGN(addr);
22675 vma = find_vma(mm, addr);
22676 @@ -1182,7 +1303,7 @@ arch_get_unmapped_area(struct file *filp
22677 if (len > mm->cached_hole_size) {
22678 start_addr = addr = mm->free_area_cache;
22680 - start_addr = addr = TASK_UNMAPPED_BASE;
22681 + start_addr = addr = mm->mmap_base;
22682 mm->cached_hole_size = 0;
22685 @@ -1194,9 +1315,8 @@ full_search:
22686 * Start a new search - just in case we missed
22689 - if (start_addr != TASK_UNMAPPED_BASE) {
22690 - addr = TASK_UNMAPPED_BASE;
22691 - start_addr = addr;
22692 + if (start_addr != mm->mmap_base) {
22693 + start_addr = addr = mm->mmap_base;
22694 mm->cached_hole_size = 0;
22697 @@ -1221,7 +1341,7 @@ void arch_unmap_area(struct mm_struct *m
22699 * Is this a new hole at the lowest possible address?
22701 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
22702 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
22703 mm->free_area_cache = addr;
22704 mm->cached_hole_size = ~0UL;
22706 @@ -1239,12 +1359,16 @@ arch_get_unmapped_area_topdown(struct fi
22708 struct vm_area_struct *vma;
22709 struct mm_struct *mm = current->mm;
22710 - unsigned long addr = addr0;
22711 + unsigned long base = mm->mmap_base, addr = addr0;
22713 /* requested length too big for entire address space */
22714 if (len > TASK_SIZE)
22717 +#ifdef CONFIG_PAX_RANDMMAP
22718 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
22721 /* requesting a specific address */
22723 addr = PAGE_ALIGN(addr);
22724 @@ -1302,13 +1426,21 @@ bottomup:
22725 * can happen with large stack limits and large mmap()
22728 + mm->mmap_base = TASK_UNMAPPED_BASE;
22730 +#ifdef CONFIG_PAX_RANDMMAP
22731 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22732 + mm->mmap_base += mm->delta_mmap;
22735 + mm->free_area_cache = mm->mmap_base;
22736 mm->cached_hole_size = ~0UL;
22737 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22738 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
22740 * Restore the topdown base:
22742 - mm->free_area_cache = mm->mmap_base;
22743 + mm->mmap_base = base;
22744 + mm->free_area_cache = base;
22745 mm->cached_hole_size = ~0UL;
22748 @@ -1324,8 +1456,10 @@ void arch_unmap_area_topdown(struct mm_s
22749 mm->free_area_cache = addr;
22751 /* dont allow allocations above current base */
22752 - if (mm->free_area_cache > mm->mmap_base)
22753 + if (mm->free_area_cache > mm->mmap_base) {
22754 mm->free_area_cache = mm->mmap_base;
22755 + mm->cached_hole_size = ~0UL;
22760 @@ -1458,6 +1592,7 @@ static int acct_stack_growth(struct vm_a
22763 /* Stack limit test */
22764 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
22765 if (size > rlim[RLIMIT_STACK].rlim_cur)
22768 @@ -1467,6 +1602,7 @@ static int acct_stack_growth(struct vm_a
22769 unsigned long limit;
22770 locked = mm->locked_vm + grow;
22771 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
22772 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
22773 if (locked > limit && !capable(CAP_IPC_LOCK))
22776 @@ -1584,13 +1720,49 @@ int expand_stack(struct vm_area_struct *
22777 if (address < vma->vm_start) {
22778 unsigned long size, grow;
22780 +#ifdef CONFIG_PAX_SEGMEXEC
22781 + struct vm_area_struct *vma_m = NULL;
22782 + unsigned long address_m = 0UL;
22784 + if (vma->vm_flags & VM_MIRROR) {
22785 + address_m = vma->vm_start + vma->vm_mirror;
22786 + vma_m = find_vma(vma->vm_mm, address_m);
22787 + if (!vma_m || vma_m->vm_start != address_m ||
22788 + !(vma_m->vm_flags & VM_MIRROR) ||
22789 + vma->vm_end - vma->vm_start !=
22790 + vma_m->vm_end - vma_m->vm_start ||
22791 + vma->anon_vma != vma_m->anon_vma) {
22792 + printk(KERN_ERR "PAX: VMMIRROR: expand bug, %08lx, %08lx, %08lx, %08lx, %08lx\n",
22793 + address, vma->vm_start, vma_m->vm_start, vma->vm_end, vma_m->vm_end);
22794 + anon_vma_unlock(vma);
22797 + address_m = address + vma->vm_mirror;
22801 size = vma->vm_end - address;
22802 grow = (vma->vm_start - address) >> PAGE_SHIFT;
22804 +#ifdef CONFIG_PAX_SEGMEXEC
22806 + error = acct_stack_growth(vma, size, 2*grow);
22810 error = acct_stack_growth(vma, size, grow);
22812 vma->vm_start = address;
22813 vma->vm_pgoff -= grow;
22814 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
22816 +#ifdef CONFIG_PAX_SEGMEXEC
22818 + vma_m->vm_start = address_m;
22819 + vma_m->vm_pgoff -= grow;
22825 anon_vma_unlock(vma);
22826 @@ -1752,7 +1924,24 @@ int split_vma(struct mm_struct * mm, str
22827 * work. This now handles partial unmappings.
22828 * Jeremy Fitzhardinge <jeremy@goop.org>
22830 +#ifdef CONFIG_PAX_SEGMEXEC
22831 +static int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len);
22833 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
22835 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
22836 + int ret = __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
22841 + return __do_munmap(mm, start, len);
22844 +static int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
22846 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
22850 struct vm_area_struct *vma, *prev, *last;
22851 @@ -1806,6 +1995,8 @@ int do_munmap(struct mm_struct *mm, unsi
22852 /* Fix up all other VM information */
22853 remove_vma_list(mm, vma);
22855 + track_exec_limit(mm, start, end, 0UL);
22860 @@ -1818,6 +2009,12 @@ asmlinkage long sys_munmap(unsigned long
22862 profile_munmap(addr);
22864 +#ifdef CONFIG_PAX_SEGMEXEC
22865 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
22866 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
22870 down_write(&mm->mmap_sem);
22871 ret = do_munmap(mm, addr, len);
22872 up_write(&mm->mmap_sem);
22873 @@ -1839,11 +2036,35 @@ static inline void verify_mm_writelocked
22874 * anonymous maps. eventually we may be able to do some
22875 * brk-specific accounting here.
22877 +#ifdef CONFIG_PAX_SEGMEXEC
22878 +static unsigned long __do_brk(unsigned long addr, unsigned long len);
22880 unsigned long do_brk(unsigned long addr, unsigned long len)
22882 + unsigned long ret;
22884 + ret = __do_brk(addr, len);
22885 + if (ret == addr && (current->mm->pax_flags & (MF_PAX_SEGMEXEC | MF_PAX_MPROTECT)) == MF_PAX_SEGMEXEC) {
22886 + unsigned long ret_m;
22888 + ret_m = __do_mmap_pgoff(NULL, addr + SEGMEXEC_TASK_SIZE, 0UL, PROT_NONE, MAP_PRIVATE | MAP_FIXED | MAP_MIRROR, addr);
22889 + if (ret_m > TASK_SIZE) {
22890 + do_munmap(current->mm, addr, len);
22898 +static unsigned long __do_brk(unsigned long addr, unsigned long len)
22900 +unsigned long do_brk(unsigned long addr, unsigned long len)
22903 struct mm_struct * mm = current->mm;
22904 struct vm_area_struct * vma, * prev;
22905 - unsigned long flags;
22906 + unsigned long flags, task_size = TASK_SIZE;
22907 struct rb_node ** rb_link, * rb_parent;
22908 pgoff_t pgoff = addr >> PAGE_SHIFT;
22910 @@ -1851,7 +2072,12 @@ unsigned long do_brk(unsigned long addr,
22914 - if ((addr + len) > TASK_SIZE || (addr + len) < addr)
22915 +#ifdef CONFIG_PAX_SEGMEXEC
22916 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22917 + task_size = SEGMEXEC_TASK_SIZE;
22920 + if ((addr + len) > task_size || (addr + len) < addr)
22924 @@ -1863,6 +2089,7 @@ unsigned long do_brk(unsigned long addr,
22925 locked += mm->locked_vm;
22926 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
22927 lock_limit >>= PAGE_SHIFT;
22928 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
22929 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
22931 if (!vx_vmlocked_avail(mm, len >> PAGE_SHIFT))
22932 @@ -1878,12 +2105,12 @@ unsigned long do_brk(unsigned long addr,
22934 * Clear old maps. this also does some error checking for us
22937 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
22938 if (vma && vma->vm_start < addr + len) {
22939 if (do_munmap(mm, addr, len))
22941 - goto munmap_back;
22942 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
22943 + BUG_ON(vma && vma->vm_start < addr + len);
22946 /* Check against address space limits *after* clearing old maps... */
22947 @@ -1899,6 +2126,18 @@ unsigned long do_brk(unsigned long addr,
22949 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
22951 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22952 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22953 + flags &= ~VM_EXEC;
22955 +#ifdef CONFIG_PAX_MPROTECT
22956 + if (mm->pax_flags & MF_PAX_MPROTECT)
22957 + flags &= ~VM_MAYEXEC;
22963 /* Can we just expand an old private anonymous mapping? */
22964 if (vma_merge(mm, prev, addr, addr + len, flags,
22965 NULL, NULL, pgoff, NULL))
22966 @@ -1919,6 +2158,13 @@ unsigned long do_brk(unsigned long addr,
22967 vma->vm_end = addr + len;
22968 vma->vm_pgoff = pgoff;
22969 vma->vm_flags = flags;
22971 +#ifdef CONFIG_PAX_PAGEEXEC
22972 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & (VM_READ|VM_WRITE)))
22973 + vma->vm_page_prot = protection_map[(flags | VM_EXEC) & 0x0f];
22977 vma->vm_page_prot = protection_map[flags & 0x0f];
22978 vma_link(mm, vma, prev, rb_link, rb_parent);
22980 @@ -1927,6 +2173,7 @@ out:
22981 vx_vmlocked_add(mm, len >> PAGE_SHIFT);
22982 make_pages_present(addr, addr + len);
22984 + track_exec_limit(mm, addr, addr + len, flags);
22988 @@ -2066,7 +2313,7 @@ int may_expand_vm(struct mm_struct *mm,
22991 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
22993 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
22994 if (cur + npages > lim)
22996 if (!vx_vmpages_avail(mm, npages))
22997 diff -urNp linux-2.6.16.12/mm/mprotect.c linux-2.6.16.12/mm/mprotect.c
22998 --- linux-2.6.16.12/mm/mprotect.c 2006-05-01 15:14:26.000000000 -0400
22999 +++ linux-2.6.16.12/mm/mprotect.c 2006-05-01 20:17:34.000000000 -0400
23000 @@ -19,11 +19,18 @@
23001 #include <linux/mempolicy.h>
23002 #include <linux/personality.h>
23003 #include <linux/syscalls.h>
23004 +#include <linux/grsecurity.h>
23006 +#ifdef CONFIG_PAX_MPROTECT
23007 +#include <linux/elf.h>
23008 +#include <linux/fs.h>
23011 #include <asm/uaccess.h>
23012 #include <asm/pgtable.h>
23013 #include <asm/cacheflush.h>
23014 #include <asm/tlbflush.h>
23015 +#include <asm/mmu_context.h>
23017 static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
23018 unsigned long addr, unsigned long end, pgprot_t newprot)
23019 @@ -98,6 +105,94 @@ static void change_protection(struct vm_
23020 flush_tlb_range(vma, start, end);
23023 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
23024 +/* called while holding the mmap semaphor for writing */
23025 +static inline void establish_user_cs_limit(struct mm_struct *mm, unsigned long start, unsigned long end)
23027 + struct vm_area_struct *vma = find_vma(mm, start);
23029 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
23030 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
23034 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
23036 + unsigned long oldlimit, newlimit = 0UL;
23038 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC))
23041 + spin_lock(&mm->page_table_lock);
23042 + oldlimit = mm->context.user_cs_limit;
23043 + if ((prot & VM_EXEC) && oldlimit < end)
23044 + /* USER_CS limit moved up */
23046 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
23047 + /* USER_CS limit moved down */
23048 + newlimit = start;
23051 + mm->context.user_cs_limit = newlimit;
23055 + cpus_clear(mm->context.cpu_user_cs_mask);
23056 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
23059 + set_user_cs(mm, smp_processor_id());
23061 + spin_unlock(&mm->page_table_lock);
23062 + if (newlimit == end)
23063 + establish_user_cs_limit(mm, oldlimit, end);
23067 +#ifdef CONFIG_PAX_SEGMEXEC
23068 +static int __mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
23069 + unsigned long start, unsigned long end, unsigned int newflags);
23071 +static int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
23072 + unsigned long start, unsigned long end, unsigned int newflags)
23074 + if (vma->vm_flags & VM_MIRROR) {
23075 + struct vm_area_struct * vma_m, * prev_m;
23076 + unsigned long start_m, end_m;
23079 + start_m = vma->vm_start + vma->vm_mirror;
23080 + vma_m = find_vma_prev(vma->vm_mm, start_m, &prev_m);
23081 + if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) {
23082 + start_m = start + vma->vm_mirror;
23083 + end_m = end + vma->vm_mirror;
23085 + if (vma_m->vm_start >= SEGMEXEC_TASK_SIZE && !(newflags & VM_EXEC))
23086 + error = __mprotect_fixup(vma_m, &prev_m, start_m, end_m, vma_m->vm_flags & ~(VM_READ | VM_WRITE | VM_EXEC));
23088 + error = __mprotect_fixup(vma_m, &prev_m, start_m, end_m, newflags);
23092 + printk("PAX: VMMIRROR: mprotect bug in %s, %08lx\n", current->comm, vma->vm_start);
23097 + return __mprotect_fixup(vma, pprev, start, end, newflags);
23100 +static int __mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
23101 + unsigned long start, unsigned long end, unsigned int newflags)
23103 + struct mm_struct * mm = vma->vm_mm;
23104 + unsigned long oldflags = vma->vm_flags;
23105 + long nrpages = (end - start) >> PAGE_SHIFT;
23106 + unsigned long charged = 0;
23107 + pgprot_t newprot;
23112 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
23113 unsigned long start, unsigned long end, unsigned long newflags)
23114 @@ -114,6 +209,7 @@ mprotect_fixup(struct vm_area_struct *vm
23121 * If we make a private mapping writable we increase our commit;
23122 @@ -132,6 +228,12 @@ mprotect_fixup(struct vm_area_struct *vm
23126 +#ifdef CONFIG_PAX_PAGEEXEC
23127 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) && (newflags & (VM_READ|VM_WRITE)))
23128 + newprot = protection_map[(newflags | VM_EXEC) & 0xf];
23132 newprot = protection_map[newflags & 0xf];
23135 @@ -176,6 +278,69 @@ fail:
23139 +#ifdef CONFIG_PAX_MPROTECT
23140 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
23141 + * therefore we'll grant them VM_MAYWRITE once during their life.
23143 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
23144 + * basis because we want to allow the common case and not the special ones.
23146 +static inline void pax_handle_maywrite(struct vm_area_struct * vma, unsigned long start)
23148 + struct elfhdr elf_h;
23149 + struct elf_phdr elf_p, p_dyn;
23151 + unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
23153 +#ifndef CONFIG_PAX_NOELFRELOCS
23154 + if ((vma->vm_start != start) ||
23156 + !(vma->vm_flags & VM_MAYEXEC) ||
23157 + (vma->vm_flags & VM_MAYNOTWRITE))
23162 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char*)&elf_h, sizeof(elf_h)) ||
23163 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
23165 +#ifdef CONFIG_PAX_ETEXECRELOCS
23166 + (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
23168 + elf_h.e_type != ET_DYN ||
23171 + !elf_check_arch(&elf_h) ||
23172 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
23173 + elf_h.e_phnum > j)
23176 + for (i = 0UL; i < elf_h.e_phnum; i++) {
23177 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char*)&elf_p, sizeof(elf_p)))
23179 + if (elf_p.p_type == PT_DYNAMIC) {
23184 + if (elf_h.e_phnum <= j)
23189 + if (sizeof(dyn) != kernel_read(vma->vm_file, p_dyn.p_offset + i*sizeof(dyn), (char*)&dyn, sizeof(dyn)))
23191 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
23192 + vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
23193 + gr_log_textrel(vma);
23197 + } while (dyn.d_tag != DT_NULL);
23203 sys_mprotect(unsigned long start, size_t len, unsigned long prot)
23205 @@ -195,6 +360,17 @@ sys_mprotect(unsigned long start, size_t
23210 +#ifdef CONFIG_PAX_SEGMEXEC
23211 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
23212 + if (end > SEGMEXEC_TASK_SIZE)
23217 + if (end > TASK_SIZE)
23220 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
23223 @@ -235,6 +411,16 @@ sys_mprotect(unsigned long start, size_t
23224 if (start > vma->vm_start)
23227 +#ifdef CONFIG_PAX_MPROTECT
23228 + if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
23229 + pax_handle_maywrite(vma, start);
23232 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
23237 for (nstart = start ; ; ) {
23238 unsigned long newflags;
23240 @@ -253,6 +439,12 @@ sys_mprotect(unsigned long start, size_t
23244 +#ifdef CONFIG_PAX_MPROTECT
23245 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
23246 + if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
23247 + newflags &= ~VM_MAYWRITE;
23250 error = security_file_mprotect(vma, reqprot, prot);
23253 @@ -276,6 +468,9 @@ sys_mprotect(unsigned long start, size_t
23258 + track_exec_limit(current->mm, start, end, vm_flags);
23261 up_write(¤t->mm->mmap_sem);
23263 diff -urNp linux-2.6.16.12/mm/mremap.c linux-2.6.16.12/mm/mremap.c
23264 --- linux-2.6.16.12/mm/mremap.c 2006-05-01 15:14:26.000000000 -0400
23265 +++ linux-2.6.16.12/mm/mremap.c 2006-05-01 20:17:34.000000000 -0400
23266 @@ -107,6 +107,12 @@ static void move_ptes(struct vm_area_str
23267 pte = ptep_clear_flush(vma, old_addr, old_pte);
23268 /* ZERO_PAGE can be dependant on virtual addr */
23269 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
23271 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
23272 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_EXEC))
23273 + pte_exprotect(pte);
23276 set_pte_at(mm, new_addr, new_pte, pte);
23279 @@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
23280 struct vm_area_struct *vma;
23281 unsigned long ret = -EINVAL;
23282 unsigned long charged = 0;
23283 + unsigned long task_size = TASK_SIZE;
23285 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
23287 @@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
23291 +#ifdef CONFIG_PAX_SEGMEXEC
23292 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
23293 + task_size = SEGMEXEC_TASK_SIZE;
23296 + if (new_len > task_size || addr > task_size-new_len ||
23297 + old_len > task_size || addr > task_size-old_len)
23300 /* new_addr is only valid if MREMAP_FIXED is specified */
23301 if (flags & MREMAP_FIXED) {
23302 if (new_addr & ~PAGE_MASK)
23303 @@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
23304 if (!(flags & MREMAP_MAYMOVE))
23307 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
23308 + if (new_addr > task_size - new_len)
23311 /* Check if the location we're moving into overlaps the
23312 * old location at all, and fail if it does.
23314 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
23317 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
23318 + if (addr + old_len > new_addr && new_addr + new_len > addr)
23321 ret = do_munmap(mm, new_addr, new_len);
23322 @@ -322,6 +335,14 @@ unsigned long do_mremap(unsigned long ad
23327 +#ifdef CONFIG_PAX_SEGMEXEC
23328 + if (vma->vm_flags & VM_MIRROR) {
23334 /* We can't remap across vm area boundaries */
23335 if (old_len > vma->vm_end - addr)
23337 @@ -358,7 +379,7 @@ unsigned long do_mremap(unsigned long ad
23338 if (old_len == vma->vm_end - addr &&
23339 !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
23340 (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
23341 - unsigned long max_addr = TASK_SIZE;
23342 + unsigned long max_addr = task_size;
23344 max_addr = vma->vm_next->vm_start;
23345 /* can we just expand the current mapping? */
23346 @@ -376,6 +397,7 @@ unsigned long do_mremap(unsigned long ad
23350 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
23354 @@ -386,8 +408,8 @@ unsigned long do_mremap(unsigned long ad
23357 if (flags & MREMAP_MAYMOVE) {
23358 + unsigned long map_flags = 0;
23359 if (!(flags & MREMAP_FIXED)) {
23360 - unsigned long map_flags = 0;
23361 if (vma->vm_flags & VM_MAYSHARE)
23362 map_flags |= MAP_SHARED;
23364 @@ -397,7 +419,12 @@ unsigned long do_mremap(unsigned long ad
23365 if (new_addr & ~PAGE_MASK)
23368 + map_flags = vma->vm_flags;
23369 ret = move_vma(vma, addr, old_len, new_len, new_addr);
23370 + if (!(ret & ~PAGE_MASK)) {
23371 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
23372 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
23376 if (ret & ~PAGE_MASK)
23377 diff -urNp linux-2.6.16.12/mm/rmap.c linux-2.6.16.12/mm/rmap.c
23378 --- linux-2.6.16.12/mm/rmap.c 2006-05-01 15:14:26.000000000 -0400
23379 +++ linux-2.6.16.12/mm/rmap.c 2006-05-01 20:17:34.000000000 -0400
23380 @@ -109,6 +109,19 @@ int anon_vma_prepare(struct vm_area_stru
23381 list_add(&vma->anon_vma_node, &anon_vma->head);
23385 +#ifdef CONFIG_PAX_SEGMEXEC
23386 + if (vma->vm_flags & VM_MIRROR) {
23387 + struct vm_area_struct *vma_m;
23389 + vma_m = find_vma(vma->vm_mm, vma->vm_start + vma->vm_mirror);
23390 + BUG_ON(!vma_m || vma_m->vm_start != vma->vm_start + vma->vm_mirror);
23391 + BUG_ON(vma_m->anon_vma || vma->vm_pgoff != vma_m->vm_pgoff);
23392 + vma_m->anon_vma = anon_vma;
23393 + __anon_vma_link(vma_m);
23397 spin_unlock(&mm->page_table_lock);
23400 diff -urNp linux-2.6.16.12/mm/vmalloc.c linux-2.6.16.12/mm/vmalloc.c
23401 --- linux-2.6.16.12/mm/vmalloc.c 2006-05-01 15:14:26.000000000 -0400
23402 +++ linux-2.6.16.12/mm/vmalloc.c 2006-05-01 20:17:34.000000000 -0400
23403 @@ -193,6 +193,8 @@ struct vm_struct *__get_vm_area_node(uns
23405 write_lock(&vmlist_lock);
23406 for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
23407 + if (addr > end - size)
23409 if ((unsigned long)tmp->addr < addr) {
23410 if((unsigned long)tmp->addr + tmp->size >= addr)
23411 addr = ALIGN(tmp->size +
23412 @@ -204,8 +206,6 @@ struct vm_struct *__get_vm_area_node(uns
23413 if (size + addr <= (unsigned long)tmp->addr)
23415 addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
23416 - if (addr > end - size)
23421 diff -urNp linux-2.6.16.12/net/ipv4/inet_connection_sock.c linux-2.6.16.12/net/ipv4/inet_connection_sock.c
23422 --- linux-2.6.16.12/net/ipv4/inet_connection_sock.c 2006-05-01 15:14:26.000000000 -0400
23423 +++ linux-2.6.16.12/net/ipv4/inet_connection_sock.c 2006-05-01 20:17:34.000000000 -0400
23425 #include <linux/config.h>
23426 #include <linux/module.h>
23427 #include <linux/jhash.h>
23428 +#include <linux/grsecurity.h>
23430 #include <net/inet_connection_sock.h>
23431 #include <net/inet_hashtables.h>
23432 diff -urNp linux-2.6.16.12/net/ipv4/inet_hashtables.c linux-2.6.16.12/net/ipv4/inet_hashtables.c
23433 --- linux-2.6.16.12/net/ipv4/inet_hashtables.c 2006-05-01 15:14:26.000000000 -0400
23434 +++ linux-2.6.16.12/net/ipv4/inet_hashtables.c 2006-05-01 20:17:34.000000000 -0400
23435 @@ -19,11 +19,14 @@
23436 #include <linux/sched.h>
23437 #include <linux/slab.h>
23438 #include <linux/wait.h>
23439 +#include <linux/grsecurity.h>
23441 #include <net/inet_connection_sock.h>
23442 #include <net/inet_hashtables.h>
23443 #include <net/ip.h>
23445 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
23448 * Allocate and initialize a new local port bind bucket.
23449 * The bindhash mutex for snum's hash chain must be held here.
23450 @@ -313,6 +316,8 @@ ok:
23452 spin_unlock(&head->lock);
23454 + gr_update_task_in_ip_table(current, inet_sk(sk));
23457 inet_twsk_deschedule(tw, death_row);;
23459 diff -urNp linux-2.6.16.12/net/ipv4/netfilter/ipt_stealth.c linux-2.6.16.12/net/ipv4/netfilter/ipt_stealth.c
23460 --- linux-2.6.16.12/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500
23461 +++ linux-2.6.16.12/net/ipv4/netfilter/ipt_stealth.c 2006-05-01 20:17:34.000000000 -0400
23463 +/* Kernel module to add stealth support.
23465 + * Copyright (C) 2002,2005 Brad Spengler <spender@grsecurity.net>
23469 +#include <linux/kernel.h>
23470 +#include <linux/module.h>
23471 +#include <linux/skbuff.h>
23472 +#include <linux/net.h>
23473 +#include <linux/sched.h>
23474 +#include <linux/inet.h>
23475 +#include <linux/stddef.h>
23477 +#include <net/ip.h>
23478 +#include <net/sock.h>
23479 +#include <net/tcp.h>
23480 +#include <net/udp.h>
23481 +#include <net/route.h>
23482 +#include <net/inet_common.h>
23484 +#include <linux/netfilter_ipv4/ip_tables.h>
23486 +MODULE_LICENSE("GPL");
23488 +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
23491 +match(const struct sk_buff *skb,
23492 + const struct net_device *in,
23493 + const struct net_device *out,
23494 + const void *matchinfo,
23498 + struct iphdr *ip = skb->nh.iph;
23499 + struct tcphdr th;
23500 + struct udphdr uh;
23501 + struct sock *sk = NULL;
23503 + if (!ip || offset) return 0;
23505 + switch(ip->protocol) {
23506 + case IPPROTO_TCP:
23507 + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &th, sizeof(th)) < 0) {
23511 + if (!(th.syn && !th.ack)) return 0;
23512 + sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, ntohs(th.dest), ((struct rtable*)skb->dst)->rt_iif);
23514 + case IPPROTO_UDP:
23515 + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &uh, sizeof(uh)) < 0) {
23519 + sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
23525 + if(!sk) // port is being listened on, match this
23533 +/* Called when user tries to insert an entry of this type. */
23535 +checkentry(const char *tablename,
23536 + const struct ipt_ip *ip,
23538 + unsigned int matchsize,
23539 + unsigned int hook_mask)
23541 + if (matchsize != IPT_ALIGN(0))
23544 + if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
23545 + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
23546 + && (hook_mask & (1 << NF_IP_LOCAL_IN)))
23549 + printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
23555 +static struct ipt_match stealth_match = {
23556 + .name = "stealth",
23558 + .checkentry = &checkentry,
23560 + .me = THIS_MODULE
23563 +static int __init init(void)
23565 + return ipt_register_match(&stealth_match);
23568 +static void __exit fini(void)
23570 + ipt_unregister_match(&stealth_match);
23573 +module_init(init);
23574 +module_exit(fini);
23575 diff -urNp linux-2.6.16.12/net/ipv4/netfilter/Kconfig linux-2.6.16.12/net/ipv4/netfilter/Kconfig
23576 --- linux-2.6.16.12/net/ipv4/netfilter/Kconfig 2006-05-01 15:14:26.000000000 -0400
23577 +++ linux-2.6.16.12/net/ipv4/netfilter/Kconfig 2006-05-01 20:17:34.000000000 -0400
23578 @@ -313,6 +313,21 @@ config IP_NF_MATCH_POLICY
23580 To compile it as a module, choose M here. If unsure, say N.
23582 +config IP_NF_MATCH_STEALTH
23583 + tristate "stealth match support"
23584 + depends on IP_NF_IPTABLES
23586 + Enabling this option will drop all syn packets coming to unserved tcp
23587 + ports as well as all packets coming to unserved udp ports. If you
23588 + are using your system to route any type of packets (ie. via NAT)
23589 + you should put this module at the end of your ruleset, since it will
23590 + drop packets that aren't going to ports that are listening on your
23591 + machine itself, it doesn't take into account that the packet might be
23592 + destined for someone on your internal network if you're using NAT for
23595 + To compile it as a module, choose M here. If unsure, say N.
23597 # `filter', generic and specific targets
23598 config IP_NF_FILTER
23599 tristate "Packet filtering"
23600 diff -urNp linux-2.6.16.12/net/ipv4/netfilter/Makefile linux-2.6.16.12/net/ipv4/netfilter/Makefile
23601 --- linux-2.6.16.12/net/ipv4/netfilter/Makefile 2006-05-01 15:14:26.000000000 -0400
23602 +++ linux-2.6.16.12/net/ipv4/netfilter/Makefile 2006-05-01 20:17:34.000000000 -0400
23603 @@ -91,6 +91,7 @@ obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_
23604 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
23605 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
23606 obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
23607 +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
23610 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
23611 diff -urNp linux-2.6.16.12/net/ipv4/tcp_ipv4.c linux-2.6.16.12/net/ipv4/tcp_ipv4.c
23612 --- linux-2.6.16.12/net/ipv4/tcp_ipv4.c 2006-05-01 15:14:26.000000000 -0400
23613 +++ linux-2.6.16.12/net/ipv4/tcp_ipv4.c 2006-05-01 20:17:34.000000000 -0400
23615 #include <linux/jhash.h>
23616 #include <linux/init.h>
23617 #include <linux/times.h>
23618 +#include <linux/grsecurity.h>
23620 #include <net/icmp.h>
23621 #include <net/inet_hashtables.h>
23622 diff -urNp linux-2.6.16.12/net/ipv4/udp.c linux-2.6.16.12/net/ipv4/udp.c
23623 --- linux-2.6.16.12/net/ipv4/udp.c 2006-05-01 15:14:26.000000000 -0400
23624 +++ linux-2.6.16.12/net/ipv4/udp.c 2006-05-01 20:17:34.000000000 -0400
23625 @@ -102,6 +102,7 @@
23626 #include <linux/skbuff.h>
23627 #include <linux/proc_fs.h>
23628 #include <linux/seq_file.h>
23629 +#include <linux/grsecurity.h>
23630 #include <net/sock.h>
23631 #include <net/udp.h>
23632 #include <net/icmp.h>
23633 @@ -110,6 +111,12 @@
23634 #include <net/checksum.h>
23635 #include <net/xfrm.h>
23637 +extern int gr_search_udp_recvmsg(const struct sock *sk,
23638 + const struct sk_buff *skb);
23639 +extern int gr_search_udp_sendmsg(const struct sock *sk,
23640 + const struct sockaddr_in *addr);
23644 * Snmp MIB for the UDP layer
23646 @@ -270,8 +277,7 @@ static struct sock *udp_v4_lookup_longwa
23650 -static __inline__ struct sock *udp_v4_lookup(u32 saddr, u16 sport,
23651 - u32 daddr, u16 dport, int dif)
23652 +struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif)
23656 @@ -547,9 +553,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
23657 dport = usin->sin_port;
23661 + if (!gr_search_udp_sendmsg(sk, usin))
23664 if (sk->sk_state != TCP_ESTABLISHED)
23665 return -EDESTADDRREQ;
23667 + if (!gr_search_udp_sendmsg(sk, NULL))
23670 daddr = inet->daddr;
23671 dport = inet->dport;
23672 /* Open fast path for connected socket.
23673 @@ -812,6 +825,11 @@ try_again:
23677 + if (!gr_search_udp_recvmsg(sk, skb)) {
23682 copied = skb->len - sizeof(struct udphdr);
23683 if (copied > len) {
23685 diff -urNp linux-2.6.16.12/net/socket.c linux-2.6.16.12/net/socket.c
23686 --- linux-2.6.16.12/net/socket.c 2006-05-01 15:14:26.000000000 -0400
23687 +++ linux-2.6.16.12/net/socket.c 2006-05-01 20:17:34.000000000 -0400
23689 #include <linux/compat.h>
23690 #include <linux/kmod.h>
23691 #include <linux/audit.h>
23692 +#include <linux/in.h>
23694 #ifdef CONFIG_NET_RADIO
23695 #include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
23697 #include <linux/netfilter.h>
23698 #include <linux/vs_socket.h>
23700 +extern void gr_attach_curr_ip(const struct sock *sk);
23701 +extern int gr_handle_sock_all(const int family, const int type,
23702 + const int protocol);
23703 +extern int gr_handle_sock_server(const struct sockaddr *sck);
23704 +extern int gr_handle_sock_server_other(const struct socket *sck);
23705 +extern int gr_handle_sock_client(const struct sockaddr *sck);
23706 +extern int gr_search_connect(const struct socket * sock,
23707 + const struct sockaddr_in * addr);
23708 +extern int gr_search_bind(const struct socket * sock,
23709 + const struct sockaddr_in * addr);
23710 +extern int gr_search_listen(const struct socket * sock);
23711 +extern int gr_search_accept(const struct socket * sock);
23712 +extern int gr_search_socket(const int domain, const int type,
23713 + const int protocol);
23715 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
23716 static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
23717 size_t size, loff_t pos);
23718 @@ -1223,6 +1239,16 @@ asmlinkage long sys_socket(int family, i
23720 struct socket *sock;
23722 + if(!gr_search_socket(family, type, protocol)) {
23723 + retval = -EACCES;
23727 + if (gr_handle_sock_all(family, type, protocol)) {
23728 + retval = -EACCES;
23732 retval = sock_create(family, type, protocol, &sock);
23735 @@ -1321,11 +1347,23 @@ asmlinkage long sys_bind(int fd, struct
23737 struct socket *sock;
23738 char address[MAX_SOCK_ADDR];
23739 + struct sockaddr *sck;
23742 if((sock = sockfd_lookup(fd,&err))!=NULL)
23744 if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
23745 + sck = (struct sockaddr *)address;
23746 + if (!gr_search_bind(sock, (struct sockaddr_in *)sck)) {
23747 + sockfd_put(sock);
23751 + if (gr_handle_sock_server(sck)) {
23752 + sockfd_put(sock);
23756 err = security_socket_bind(sock, (struct sockaddr *)address, addrlen);
23759 @@ -1362,6 +1400,16 @@ asmlinkage long sys_listen(int fd, int b
23763 + if (gr_handle_sock_server_other(sock)) {
23764 + sockfd_put(sock);
23768 + if(!gr_search_listen(sock)) {
23769 + sockfd_put(sock);
23773 err=sock->ops->listen(sock, backlog);
23776 @@ -1398,6 +1446,16 @@ asmlinkage long sys_accept(int fd, struc
23777 newsock->type = sock->type;
23778 newsock->ops = sock->ops;
23780 + if (gr_handle_sock_server_other(sock)) {
23782 + goto out_release;
23785 + if(!gr_search_accept(sock)) {
23787 + goto out_release;
23791 * We don't need try_module_get here, as the listening socket (sock)
23792 * has the protocol module (sock->ops->owner) held.
23793 @@ -1428,6 +1486,7 @@ asmlinkage long sys_accept(int fd, struc
23796 security_socket_post_accept(sock, newsock);
23797 + gr_attach_curr_ip(newsock->sk);
23801 @@ -1455,6 +1514,7 @@ asmlinkage long sys_connect(int fd, stru
23803 struct socket *sock;
23804 char address[MAX_SOCK_ADDR];
23805 + struct sockaddr *sck;
23808 sock = sockfd_lookup(fd, &err);
23809 @@ -1464,6 +1524,18 @@ asmlinkage long sys_connect(int fd, stru
23813 + sck = (struct sockaddr *)address;
23815 + if (!gr_search_connect(sock, (struct sockaddr_in *)sck)) {
23820 + if (gr_handle_sock_client(sck)) {
23825 err = security_socket_connect(sock, (struct sockaddr *)address, addrlen);
23828 @@ -1717,6 +1789,7 @@ asmlinkage long sys_shutdown(int fd, int
23829 err=sock->ops->shutdown(sock, how);
23836 diff -urNp linux-2.6.16.12/net/unix/af_unix.c linux-2.6.16.12/net/unix/af_unix.c
23837 --- linux-2.6.16.12/net/unix/af_unix.c 2006-05-01 15:14:26.000000000 -0400
23838 +++ linux-2.6.16.12/net/unix/af_unix.c 2006-05-01 20:17:34.000000000 -0400
23839 @@ -120,6 +120,7 @@
23840 #include <linux/vs_context.h>
23841 #include <linux/vs_network.h>
23842 #include <linux/vs_limit.h>
23843 +#include <linux/grsecurity.h>
23845 int sysctl_unix_max_dgram_qlen = 10;
23847 @@ -685,6 +686,11 @@ static struct sock *unix_find_other(stru
23851 + if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
23856 err = -ECONNREFUSED;
23857 if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
23859 @@ -708,6 +714,13 @@ static struct sock *unix_find_other(stru
23861 struct dentry *dentry;
23862 dentry = unix_sk(u)->dentry;
23864 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
23871 touch_atime(unix_sk(u)->mnt, dentry);
23873 @@ -786,9 +799,18 @@ static int unix_bind(struct socket *sock
23876 (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
23878 + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
23880 + goto out_mknod_dput;
23883 err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0, NULL);
23885 goto out_mknod_dput;
23887 + gr_handle_create(dentry, nd.mnt);
23889 mutex_unlock(&nd.dentry->d_inode->i_mutex);
23891 nd.dentry = dentry;
23892 @@ -806,6 +828,10 @@ static int unix_bind(struct socket *sock
23896 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
23897 + sk->sk_peercred.pid = current->pid;
23900 list = &unix_socket_table[addr->hash];
23902 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
23903 diff -urNp linux-2.6.16.12/security/commoncap.c linux-2.6.16.12/security/commoncap.c
23904 --- linux-2.6.16.12/security/commoncap.c 2006-05-01 15:14:26.000000000 -0400
23905 +++ linux-2.6.16.12/security/commoncap.c 2006-05-01 20:17:34.000000000 -0400
23907 #include <linux/ptrace.h>
23908 #include <linux/xattr.h>
23909 #include <linux/hugetlb.h>
23910 +#include <linux/grsecurity.h>
23912 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
23914 @@ -45,7 +46,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
23915 int cap_capable (struct task_struct *tsk, int cap)
23917 /* Derived from include/linux/sched.h:capable. */
23918 - if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap))
23919 + if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_task_is_capable(tsk, cap))
23924 +int cap_capable_nolog (struct task_struct *tsk, int cap)
23926 + /* Derived from include/linux/sched.h:capable. */
23927 + if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap))
23931 @@ -61,7 +70,7 @@ int cap_ptrace (struct task_struct *pare
23933 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
23934 if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
23935 - !capable(CAP_SYS_PTRACE))
23936 + !capable_nolog(CAP_SYS_PTRACE))
23940 @@ -165,8 +174,11 @@ void cap_bprm_apply_creds (struct linux_
23944 - current->suid = current->euid = current->fsuid = bprm->e_uid;
23945 - current->sgid = current->egid = current->fsgid = bprm->e_gid;
23946 + if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
23947 + current->suid = current->euid = current->fsuid = bprm->e_uid;
23949 + if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
23950 + current->sgid = current->egid = current->fsgid = bprm->e_gid;
23952 /* For init, we want to retain the capabilities set
23953 * in the init_task struct. Thus we skip the usual
23954 @@ -177,6 +189,8 @@ void cap_bprm_apply_creds (struct linux_
23955 cap_intersect (new_permitted, bprm->cap_effective);
23958 + gr_handle_chroot_caps(current);
23960 /* AUD: Audit candidate if current->cap_effective is set */
23962 current->keep_capabilities = 0;
23963 @@ -323,12 +337,13 @@ int cap_vm_enough_memory(long pages)
23965 int cap_sys_admin = 0;
23967 - if (cap_capable(current, CAP_SYS_ADMIN) == 0)
23968 + if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
23970 return __vm_enough_memory(pages, cap_sys_admin);
23973 EXPORT_SYMBOL(cap_capable);
23974 +EXPORT_SYMBOL(cap_capable_nolog);
23975 EXPORT_SYMBOL(cap_settime);
23976 EXPORT_SYMBOL(cap_ptrace);
23977 EXPORT_SYMBOL(cap_capget);
23978 diff -urNp linux-2.6.16.12/security/dummy.c linux-2.6.16.12/security/dummy.c
23979 --- linux-2.6.16.12/security/dummy.c 2006-05-01 15:14:26.000000000 -0400
23980 +++ linux-2.6.16.12/security/dummy.c 2006-05-01 20:17:34.000000000 -0400
23982 #include <linux/hugetlb.h>
23983 #include <linux/ptrace.h>
23984 #include <linux/file.h>
23985 +#include <linux/grsecurity.h>
23987 static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
23989 @@ -139,8 +140,11 @@ static void dummy_bprm_apply_creds (stru
23993 - current->suid = current->euid = current->fsuid = bprm->e_uid;
23994 - current->sgid = current->egid = current->fsgid = bprm->e_gid;
23995 + if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
23996 + current->suid = current->euid = current->fsuid = bprm->e_uid;
23998 + if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
23999 + current->sgid = current->egid = current->fsgid = bprm->e_gid;
24001 dummy_capget(current, ¤t->cap_effective, ¤t->cap_inheritable, ¤t->cap_permitted);
24003 diff -urNp linux-2.6.16.12/security/Kconfig linux-2.6.16.12/security/Kconfig
24004 --- linux-2.6.16.12/security/Kconfig 2006-05-01 15:14:26.000000000 -0400
24005 +++ linux-2.6.16.12/security/Kconfig 2006-05-01 20:17:34.000000000 -0400
24008 menu "Security options"
24013 + bool "Enable various PaX features"
24014 + depends on GRKERNSEC && (ALPHA || ARM || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
24016 + This allows you to enable various PaX features. PaX adds
24017 + intrusion prevention mechanisms to the kernel that reduce
24018 + the risks posed by exploitable memory corruption bugs.
24020 +menu "PaX Control"
24023 +config PAX_SOFTMODE
24024 + bool 'Support soft mode'
24026 + Enabling this option will allow you to run PaX in soft mode, that
24027 + is, PaX features will not be enforced by default, only on executables
24028 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
24029 + is the only way to mark executables for soft mode use.
24031 + Soft mode can be activated by using the "pax_softmode=1" kernel command
24032 + line option on boot. Furthermore you can control various PaX features
24033 + at runtime via the entries in /proc/sys/kernel/pax.
24036 + bool 'Use legacy ELF header marking'
24038 + Enabling this option will allow you to control PaX features on
24039 + a per executable basis via the 'chpax' utility available at
24040 + http://pax.grsecurity.net/. The control flags will be read from
24041 + an otherwise reserved part of the ELF header. This marking has
24042 + numerous drawbacks (no support for soft-mode, toolchain does not
24043 + know about the non-standard use of the ELF header) therefore it
24044 + has been deprecated in favour of PT_PAX_FLAGS support.
24046 + If you have applications not marked by the PT_PAX_FLAGS ELF
24047 + program header then you MUST enable this option otherwise they
24048 + will not get any protection.
24050 + Note that if you enable PT_PAX_FLAGS marking support as well,
24051 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
24053 +config PAX_PT_PAX_FLAGS
24054 + bool 'Use ELF program header marking'
24056 + Enabling this option will allow you to control PaX features on
24057 + a per executable basis via the 'paxctl' utility available at
24058 + http://pax.grsecurity.net/. The control flags will be read from
24059 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
24060 + has the benefits of supporting both soft mode and being fully
24061 + integrated into the toolchain (the binutils patch is available
24062 + from http://pax.grsecurity.net).
24064 + If you have applications not marked by the PT_PAX_FLAGS ELF
24065 + program header then you MUST enable the EI_PAX marking support
24066 + otherwise they will not get any protection.
24068 + Note that if you enable the legacy EI_PAX marking support as well,
24069 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
24072 + prompt 'MAC system integration'
24073 + default PAX_HAVE_ACL_FLAGS
24075 + Mandatory Access Control systems have the option of controlling
24076 + PaX flags on a per executable basis, choose the method supported
24077 + by your particular system.
24079 + - "none": if your MAC system does not interact with PaX,
24080 + - "direct": if your MAC system defines pax_set_flags() itself,
24081 + - "hook": if your MAC system uses the pax_set_flags_func callback.
24083 + NOTE: this option is for developers/integrators only.
24085 +config PAX_NO_ACL_FLAGS
24088 +config PAX_HAVE_ACL_FLAGS
24091 +config PAX_HOOK_ACL_FLAGS
24097 +menu "Non-executable pages"
24101 + bool "Enforce non-executable pages"
24102 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
24104 + By design some architectures do not allow for protecting memory
24105 + pages against execution or even if they do, Linux does not make
24106 + use of this feature. In practice this means that if a page is
24107 + readable (such as the stack or heap) it is also executable.
24109 + There is a well known exploit technique that makes use of this
24110 + fact and a common programming mistake where an attacker can
24111 + introduce code of his choice somewhere in the attacked program's
24112 + memory (typically the stack or the heap) and then execute it.
24114 + If the attacked program was running with different (typically
24115 + higher) privileges than that of the attacker, then he can elevate
24116 + his own privilege level (e.g. get a root shell, write to files for
24117 + which he does not have write access to, etc).
24119 + Enabling this option will let you choose from various features
24120 + that prevent the injection and execution of 'foreign' code in
24123 + This will also break programs that rely on the old behaviour and
24124 + expect that dynamically allocated memory via the malloc() family
24125 + of functions is executable (which it is not). Notable examples
24126 + are the XFree86 4.x server, the java runtime and wine.
24128 +config PAX_PAGEEXEC
24129 + bool "Paging based non-executable pages"
24130 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
24131 + select PAX_NOVSYSCALL if X86_32
24133 + This implementation is based on the paging feature of the CPU.
24134 + On i386 and ppc there is a variable but usually low performance
24135 + impact on applications. On alpha, ia64, parisc, sparc, sparc64
24136 + and x86_64 there is no performance impact.
24138 +config PAX_SEGMEXEC
24139 + bool "Segmentation based non-executable pages"
24140 + depends on PAX_NOEXEC && X86_32
24141 + select PAX_NOVSYSCALL if X86_32
24143 + This implementation is based on the segmentation feature of the
24144 + CPU and has little performance impact, however applications will
24145 + be limited to a 1.5 GB address space instead of the normal 3 GB.
24148 + prompt "Default non-executable page method"
24149 + depends on PAX_PAGEEXEC && PAX_SEGMEXEC
24150 + default PAX_DEFAULT_SEGMEXEC
24152 + Select the default non-executable page method applied to applications
24153 + that do not select one themselves.
24155 +config PAX_DEFAULT_PAGEEXEC
24158 +config PAX_DEFAULT_SEGMEXEC
24162 +config PAX_EMUTRAMP
24163 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86_32)
24164 + default y if PARISC || PPC32
24166 + There are some programs and libraries that for one reason or
24167 + another attempt to execute special small code snippets from
24168 + non-executable memory pages. Most notable examples are the
24169 + signal handler return code generated by the kernel itself and
24170 + the GCC trampolines.
24172 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
24173 + such programs will no longer work under your kernel.
24175 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
24176 + utilities to enable trampoline emulation for the affected programs
24177 + yet still have the protection provided by the non-executable pages.
24179 + On parisc and ppc you MUST enable this option and EMUSIGRT as
24180 + well, otherwise your system will not even boot.
24182 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
24183 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
24184 + for the affected files.
24186 + NOTE: enabling this feature *may* open up a loophole in the
24187 + protection provided by non-executable pages that an attacker
24188 + could abuse. Therefore the best solution is to not have any
24189 + files on your system that would require this option. This can
24190 + be achieved by not using libc5 (which relies on the kernel
24191 + signal handler return code) and not using or rewriting programs
24192 + that make use of the nested function implementation of GCC.
24193 + Skilled users can just fix GCC itself so that it implements
24194 + nested function calls in a way that does not interfere with PaX.
24196 +config PAX_EMUSIGRT
24197 + bool "Automatically emulate sigreturn trampolines"
24198 + depends on PAX_EMUTRAMP && (PARISC || PPC32)
24201 + Enabling this option will have the kernel automatically detect
24202 + and emulate signal return trampolines executing on the stack
24203 + that would otherwise lead to task termination.
24205 + This solution is intended as a temporary one for users with
24206 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
24207 + Modula-3 runtime, etc) or executables linked to such, basically
24208 + everything that does not specify its own SA_RESTORER function in
24209 + normal executable memory like glibc 2.1+ does.
24211 + On parisc and ppc you MUST enable this option, otherwise your
24212 + system will not even boot.
24214 + NOTE: this feature cannot be disabled on a per executable basis
24215 + and since it *does* open up a loophole in the protection provided
24216 + by non-executable pages, the best solution is to not have any
24217 + files on your system that would require this option.
24219 +config PAX_MPROTECT
24220 + bool "Restrict mprotect()"
24221 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
24223 + Enabling this option will prevent programs from
24224 + - changing the executable status of memory pages that were
24225 + not originally created as executable,
24226 + - making read-only executable pages writable again,
24227 + - creating executable pages from anonymous memory.
24229 + You should say Y here to complete the protection provided by
24230 + the enforcement of non-executable pages.
24232 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
24233 + this feature on a per file basis.
24235 +config PAX_NOELFRELOCS
24236 + bool "Disallow ELF text relocations"
24237 + depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
24239 + Non-executable pages and mprotect() restrictions are effective
24240 + in preventing the introduction of new executable code into an
24241 + attacked task's address space. There remain only two venues
24242 + for this kind of attack: if the attacker can execute already
24243 + existing code in the attacked task then he can either have it
24244 + create and mmap() a file containing his code or have it mmap()
24245 + an already existing ELF library that does not have position
24246 + independent code in it and use mprotect() on it to make it
24247 + writable and copy his code there. While protecting against
24248 + the former approach is beyond PaX, the latter can be prevented
24249 + by having only PIC ELF libraries on one's system (which do not
24250 + need to relocate their code). If you are sure this is your case,
24251 + then enable this option otherwise be careful as you may not even
24252 + be able to boot or log on your system (for example, some PAM
24253 + modules are erroneously compiled as non-PIC by default).
24255 + NOTE: if you are using dynamic ELF executables (as suggested
24256 + when using ASLR) then you must have made sure that you linked
24257 + your files using the PIC version of crt1 (the et_dyn.tar.gz package
24258 + referenced there has already been updated to support this).
24260 +config PAX_ETEXECRELOCS
24261 + bool "Allow ELF ET_EXEC text relocations"
24262 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
24265 + On some architectures there are incorrectly created applications
24266 + that require text relocations and would not work without enabling
24267 + this option. If you are an alpha, ia64 or parisc user, you should
24268 + enable this option and disable it once you have made sure that
24269 + none of your applications need it.
24272 + bool "Automatically emulate ELF PLT"
24273 + depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
24276 + Enabling this option will have the kernel automatically detect
24277 + and emulate the Procedure Linkage Table entries in ELF files.
24278 + On some architectures such entries are in writable memory, and
24279 + become non-executable leading to task termination. Therefore
24280 + it is mandatory that you enable this option on alpha, parisc, ppc,
24281 + sparc and sparc64, otherwise your system would not even boot.
24283 + NOTE: this feature *does* open up a loophole in the protection
24284 + provided by the non-executable pages, therefore the proper
24285 + solution is to modify the toolchain to produce a PLT that does
24286 + not need to be writable.
24288 +config PAX_DLRESOLVE
24290 + depends on PAX_EMUPLT && (SPARC32 || SPARC64)
24293 +config PAX_SYSCALL
24295 + depends on PAX_PAGEEXEC && PPC32
24298 +config PAX_KERNEXEC
24299 + bool "Enforce non-executable kernel pages"
24300 + depends on PAX_NOEXEC && X86_32 && !HOTPLUG_PCI_COMPAQ_NVRAM && !PCI_BIOS && !EFI && !DEBUG_RODATA
24302 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
24303 + that is, enabling this option will make it harder to inject
24304 + and execute 'foreign' code in kernel memory itself.
24308 +menu "Address Space Layout Randomization"
24312 + bool "Address Space Layout Randomization"
24313 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
24315 + Many if not most exploit techniques rely on the knowledge of
24316 + certain addresses in the attacked program. The following options
24317 + will allow the kernel to apply a certain amount of randomization
24318 + to specific parts of the program thereby forcing an attacker to
24319 + guess them in most cases. Any failed guess will most likely crash
24320 + the attacked program which allows the kernel to detect such attempts
24321 + and react on them. PaX itself provides no reaction mechanisms,
24322 + instead it is strongly encouraged that you make use of Nergal's
24323 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
24324 + (http://www.grsecurity.net/) built-in crash detection features or
24325 + develop one yourself.
24327 + By saying Y here you can choose to randomize the following areas:
24328 + - top of the task's kernel stack
24329 + - top of the task's userland stack
24330 + - base address for mmap() requests that do not specify one
24331 + (this includes all libraries)
24332 + - base address of the main executable
24334 + It is strongly recommended to say Y here as address space layout
24335 + randomization has negligible impact on performance yet it provides
24336 + a very effective protection.
24338 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
24339 + this feature on a per file basis.
24341 +config PAX_RANDKSTACK
24342 + bool "Randomize kernel stack base"
24343 + depends on PAX_ASLR && X86_TSC && X86_32
24345 + By saying Y here the kernel will randomize every task's kernel
24346 + stack on every system call. This will not only force an attacker
24347 + to guess it but also prevent him from making use of possible
24348 + leaked information about it.
24350 + Since the kernel stack is a rather scarce resource, randomization
24351 + may cause unexpected stack overflows, therefore you should very
24352 + carefully test your system. Note that once enabled in the kernel
24353 + configuration, this feature cannot be disabled on a per file basis.
24355 +config PAX_RANDUSTACK
24356 + bool "Randomize user stack base"
24357 + depends on PAX_ASLR
24359 + By saying Y here the kernel will randomize every task's userland
24360 + stack. The randomization is done in two steps where the second
24361 + one may apply a big amount of shift to the top of the stack and
24362 + cause problems for programs that want to use lots of memory (more
24363 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
24364 + For this reason the second step can be controlled by 'chpax' or
24365 + 'paxctl' on a per file basis.
24367 +config PAX_RANDMMAP
24368 + bool "Randomize mmap() base"
24369 + depends on PAX_ASLR
24371 + By saying Y here the kernel will use a randomized base address for
24372 + mmap() requests that do not specify one themselves. As a result
24373 + all dynamically loaded libraries will appear at random addresses
24374 + and therefore be harder to exploit by a technique where an attacker
24375 + attempts to execute library code for his purposes (e.g. spawn a
24376 + shell from an exploited program that is running at an elevated
24377 + privilege level).
24379 + Furthermore, if a program is relinked as a dynamic ELF file, its
24380 + base address will be randomized as well, completing the full
24381 + randomization of the address space layout. Attacking such programs
24382 + becomes a guess game. You can find an example of doing this at
24383 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
24384 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
24386 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
24387 + feature on a per file basis.
24389 +config PAX_NOVSYSCALL
24390 + bool "Disable the vsyscall page"
24391 + depends on PAX_ASLR && X86_32
24393 + The Linux 2.6 kernel introduced a new feature that speeds up or
24394 + simplifies certain operations, such as system calls or returns
24395 + from signal handlers.
24397 + Unfortunately the implementation also gives a powerful instrument
24398 + into the hands of exploit writers: the so-called vsyscall page exists
24399 + in every task at the same fixed address and it contains machine code
24400 + that is very useful in performing the return-to-libc style attack.
24402 + Since this exploit technique cannot in general be protected against
24403 + via kernel solutions, this option will allow you to disable the use
24404 + of the vsyscall page and revert back to the old behaviour.
24410 +source grsecurity/Kconfig
24413 bool "Enable access key retention support"
24415 diff -urNp linux-2.6.16.12/security/security.c linux-2.6.16.12/security/security.c
24416 --- linux-2.6.16.12/security/security.c 2006-05-01 15:14:26.000000000 -0400
24417 +++ linux-2.6.16.12/security/security.c 2006-05-01 20:17:34.000000000 -0400
24418 @@ -204,4 +204,5 @@ EXPORT_SYMBOL_GPL(unregister_security);
24419 EXPORT_SYMBOL_GPL(mod_reg_security);
24420 EXPORT_SYMBOL_GPL(mod_unreg_security);
24421 EXPORT_SYMBOL(capable);
24422 +EXPORT_SYMBOL(capable_nolog);
24423 EXPORT_SYMBOL(security_ops);