1 diff -urN linux-2.4.22/Documentation/Configure.help linux-2.4.22-grsec/Documentation/Configure.help
2 --- linux-2.4.22/Documentation/Configure.help 2003-10-09 18:47:38.000000000 +0200
3 +++ linux-2.4.22-grsec/Documentation/Configure.help 2003-10-09 19:13:26.000000000 +0200
5 If you want to compile it as a module, say M here and read
6 Documentation/modules.txt. If unsure, say `N'.
8 +stealth networking support
9 +CONFIG_IP_NF_MATCH_STEALTH
10 + Enabling this option will drop all syn packets coming to unserved tcp
11 + ports as well as all packets coming to unserved udp ports. If you
12 + are using your system to route any type of packets (ie. via NAT)
13 + you should put this module at the end of your ruleset, since it will
14 + drop packets that aren't going to ports that are listening on your
15 + machine itself, it doesn't take into account that the packet might be
16 + destined for someone on your internal network if you're using NAT for
19 + If you want to compile it as a module, say M here and read
20 + Documentation/modules.txt. If unsure, say `N'.
22 MAC address match support
23 CONFIG_IP_NF_MATCH_MAC
24 MAC matching allows you to match packets based on the source
25 @@ -23554,6 +23568,233 @@
27 "Area6" will work for most boards. For ADX, select "Area5".
31 + If you say Y here, you will be able to configure many features that
32 + will enhance the security of your system. It is highly recommended
33 + that you say Y here and read through the help for each option so
34 + you fully understand the features and can evaluate their usefulness
37 +/proc/<pid>/ipaddr support
38 +CONFIG_GRKERNSEC_PROC_IPADDR
39 + If you say Y here, a new entry will be added to each /proc/<pid>
40 + directory that contains the IP address of the person using the task.
41 + The IP is carried across local TCP and AF_UNIX stream sockets.
42 + This information can be useful for IDS/IPSes to perform remote response
43 + to a local attack. The entry is readable by only the owner of the
44 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
45 + the RBAC system), and thus does not create privacy concerns.
47 +Deny access to abstract AF_UNIX sockets out of chroot
48 +CONFIG_GRKERNSEC_CHROOT_UNIX
49 + If you say Y here, processes inside a chroot will not be able to
50 + connect to abstract (meaning not belonging to a filesystem) Unix
51 + domain sockets that were bound outside of a chroot. It is recommended
52 + that you say Y here. If the sysctl option is enabled, a sysctl option
53 + with name "chroot_deny_unix" is created.
55 +Deny shmat() out of chroot
56 +CONFIG_GRKERNSEC_CHROOT_SHMAT
57 + If you say Y here, processes inside a chroot will not be able to attach
58 + to shared memory segments that were created outside of the chroot jail.
59 + It is recommended that you say Y here. If the sysctl option is enabled,
60 + a sysctl option with name "chroot_deny_shmat" is created.
62 +Protect outside processes
63 +CONFIG_GRKERNSEC_CHROOT_FINDTASK
64 + If you say Y here, processes inside a chroot will not be able to
65 + kill, send signals with fcntl, ptrace, capget, setpgid, getpgid,
66 + getsid, or view any process outside of the chroot. If the sysctl
67 + option is enabled, a sysctl option with name "chroot_findtask" is
70 +Deny mounts in chroot
71 +CONFIG_GRKERNSEC_CHROOT_MOUNT
72 + If you say Y here, processes inside a chroot will not be able to
73 + mount or remount filesystems. If the sysctl option is enabled, a
74 + sysctl option with name "chroot_deny_mount" is created.
76 +Deny pivot_root in chroot
77 +CONFIG_GRKERNSEC_CHROOT_PIVOT
78 + If you say Y here, processes inside a chroot will not be able to use
79 + a function called pivot_root() that was introduced in Linux 2.3.41. It
80 + works similar to chroot in that it changes the root filesystem. This
81 + function could be misused in a chrooted process to attempt to break out
82 + of the chroot, and therefore should not be allowed. If the sysctl
83 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
87 +CONFIG_GRKERNSEC_CHROOT_DOUBLE
88 + If you say Y here, processes inside a chroot will not be able to chroot
89 + again. This is a widely used method of breaking out of a chroot jail
90 + and should not be allowed. If the sysctl option is enabled, a sysctl
91 + option with name "chroot_deny_chroot" is created.
93 +Deny fchdir outside of chroot
94 +CONFIG_GRKERNSEC_CHROOT_FCHDIR
95 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
96 + to a file descriptor of the chrooting process that points to a directory
97 + outside the filesystem will be stopped. If the sysctl option
98 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
100 +Enforce chdir("/") on all chroots
101 +CONFIG_GRKERNSEC_CHROOT_CHDIR
102 + If you say Y here, the current working directory of all newly-chrooted
103 + applications will be set to the the root directory of the chroot.
104 + The man page on chroot(2) states:
105 + Note that this call does not change the current working
106 + directory, so that `.' can be outside the tree rooted at
107 + `/'. In particular, the super-user can escape from a
108 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
110 + It is recommended that you say Y here, since it's not known to break
111 + any software. If the sysctl option is enabled, a sysctl option with
112 + name "chroot_enforce_chdir" is created.
114 +Deny (f)chmod +s in chroot
115 +CONFIG_GRKERNSEC_CHROOT_CHMOD
116 + If you say Y here, processes inside a chroot will not be able to chmod
117 + or fchmod files to make them have suid or sgid bits. This protects
118 + against another published method of breaking a chroot. If the sysctl
119 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
122 +Deny mknod in chroot
123 +CONFIG_GRKERNSEC_CHROOT_MKNOD
124 + If you say Y here, processes inside a chroot will not be allowed to
125 + mknod. The problem with using mknod inside a chroot is that it
126 + would allow an attacker to create a device entry that is the same
127 + as one on the physical root of your system, which could range from
128 + anything from the console device to a device for your harddrive (which
129 + they could then use to wipe the drive or steal data). It is recommended
130 + that you say Y here, unless you run into software incompatibilities.
131 + If the sysctl option is enabled, a sysctl option with name
132 + "chroot_deny_mknod" is created.
134 +Restrict priority changes in chroot
135 +CONFIG_GRKERNSEC_CHROOT_NICE
136 + If you say Y here, processes inside a chroot will not be able to raise
137 + the priority of processes in the chroot, or alter the priority of
138 + processes outside the chroot. This provides more security than simply
139 + removing CAP_SYS_NICE from the process' capability set. If the
140 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
143 +Log all execs within chroot
144 +CONFIG_GRKERNSEC_CHROOT_EXECLOG
145 + If you say Y here, all executions inside a chroot jail will be logged
146 + to syslog. This can cause a large amount of logs if certain
147 + applications (eg. djb's daemontools) are installed on the system, and
148 + is therefore left as an option. If the sysctl option is enabled, a
149 + sysctl option with name "chroot_execlog" is created.
151 +Deny sysctl writes in chroot
152 +CONFIG_GRKERNSEC_CHROOT_SYSCTL
153 + If you say Y here, an attacker in a chroot will not be able to
154 + write to sysctl entries, either by sysctl(2) or through a /proc
155 + interface. It is strongly recommended that you say Y here. If the
156 + sysctl option is enabled, a sysctl option with name
157 + "chroot_deny_sysctl" is created.
159 +Chroot jail capability restrictions
160 +CONFIG_GRKERNSEC_CHROOT_CAPS
161 + If you say Y here, the capabilities on all root processes within a
162 + chroot jail will be lowered to stop module insertion, raw i/o,
163 + system and net admin tasks, rebooting the system, modifying immutable
164 + files, modifying IPC owned by another, and changing the system time.
165 + This is left an option because it can break some apps. Disable this
166 + if your chrooted apps are having problems performing those kinds of
167 + tasks. If the sysctl option is enabled, a sysctl option with
168 + name "chroot_caps" is created.
170 +Trusted path execution
171 +CONFIG_GRKERNSEC_TPE
172 + If you say Y here, you will be able to choose a gid to add to the
173 + supplementary groups of users you want to mark as "untrusted."
174 + These users will not be able to execute any files that are not in
175 + root-owned directories writable only by root. If the sysctl option
176 + is enabled, a sysctl option with name "tpe" is created.
178 +Group for trusted path execution
179 +CONFIG_GRKERNSEC_TPE_GID
180 + Here you can choose the GID to enable trusted path protection for.
181 + Remember to add the users you want protection enabled for to the GID
182 + specified here. If the sysctl option is enabled, whatever you choose
183 + here won't matter. You'll have to specify the GID in your bootup
184 + script by echoing the GID to the proper /proc entry. View the help
185 + on the sysctl option for more information. If the sysctl option is
186 + enabled, a sysctl option with name "tpe_gid" is created.
188 +Partially restrict non-root users
189 +CONFIG_GRKERNSEC_TPE_ALL
190 + If you say Y here, All non-root users other than the ones in the
191 + group specified in the main TPE option will only be allowed to
192 + execute files in directories they own that are not group or
193 + world-writable, or in directories owned by root and writable only by
194 + root. If the sysctl option is enabled, a sysctl option with name
195 + "tpe_restrict_all" is created.
198 +CONFIG_GRKERNSEC_SOCKET
199 + If you say Y here, you will be able to choose from several options.
200 + If you assign a GID on your system and add it to the supplementary
201 + groups of users you want to restrict socket access to, this patch
202 + will perform up to three things, based on the option(s) you choose.
204 +Deny all socket access
205 +CONFIG_GRKERNSEC_SOCKET_ALL
206 + If you say Y here, you will be able to choose a GID of whose users will
207 + be unable to connect to other hosts from your machine or run server
208 + applications from your machine. If the sysctl option is enabled, a
209 + sysctl option with name "socket_all" is created.
211 +Group for disabled socket access
212 +CONFIG_GRKERNSEC_SOCKET_ALL_GID
213 + Here you can choose the GID to disable socket access for. Remember to
214 + add the users you want socket access disabled for to the GID
215 + specified here. If the sysctl option is enabled, whatever you choose
216 + here won't matter. You'll have to specify the GID in your bootup
217 + script by echoing the GID to the proper /proc entry. View the help
218 + on the sysctl option for more information. If the sysctl option is
219 + enabled, a sysctl option with name "socket_all_gid" is created.
221 +Deny all client socket access
222 +CONFIG_GRKERNSEC_SOCKET_CLIENT
223 + If you say Y here, you will be able to choose a GID of whose users will
224 + be unable to connect to other hosts from your machine, but will be
225 + able to run servers. If this option is enabled, all users in the group
226 + you specify will have to use passive mode when initiating ftp transfers
227 + from the shell on your machine. If the sysctl option is enabled, a
228 + sysctl option with name "socket_client" is created.
230 +Group for disabled client socket access
231 +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID
232 + Here you can choose the GID to disable client socket access for.
233 + Remember to add the users you want client socket access disabled for to
234 + the GID specified here. If the sysctl option is enabled, whatever you
235 + choose here won't matter. You'll have to specify the GID in your bootup
236 + script by echoing the GID to the proper /proc entry. View the help
237 + on the sysctl option for more information. If the sysctl option is
238 + enabled, a sysctl option with name "socket_client_gid" is created.
240 +Deny all server socket access
241 +CONFIG_GRKERNSEC_SOCKET_SERVER
242 + If you say Y here, you will be able to choose a GID of whose users will
243 + be unable to run server applications from your machine. If the sysctl
244 + option is enabled, a sysctl option with name "socket_server" is created.
246 +Group for disabled server socket access
247 +CONFIG_GRKERNSEC_SOCKET_SERVER_GID
248 + Here you can choose the GID to disable server socket access for.
249 + Remember to add the users you want server socket access disabled for to
250 + the GID specified here. If the sysctl option is enabled, whatever you
251 + choose here won't matter. You'll have to specify the GID in your bootup
252 + script by echoing the GID to the proper /proc entry. View the help
253 + on the sysctl option for more information. If the sysctl option is
254 + enabled, a sysctl option with name "socket_server_gid" is created.
257 CONFIG_DCACHE_DISABLE
258 This option allows you to run the kernel with data cache disabled.
259 diff -urN linux-2.4.22/Makefile linux-2.4.22-grsec/Makefile
260 --- linux-2.4.22/Makefile 2003-10-09 18:47:38.000000000 +0200
261 +++ linux-2.4.22-grsec/Makefile 2003-10-09 19:13:26.000000000 +0200
264 CORE_FILES =kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o
265 NETWORKS =net/network.o
266 +GRSECURITY =grsecurity/grsec.o
268 LIBS =$(TOPDIR)/lib/lib.a
269 -SUBDIRS =kernel drivers mm fs net ipc lib crypto
270 +SUBDIRS =kernel drivers mm fs net ipc lib crypto grsecurity
276 export CPPFLAGS CFLAGS CFLAGS_KERNEL AFLAGS AFLAGS_KERNEL
278 -export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS
279 +export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS GRSECURITY
282 $(CPP) $(AFLAGS) $(AFLAGS_KERNEL) -traditional -o $*.s $<
291 diff -urN linux-2.4.22/arch/alpha/config.in linux-2.4.22-grsec/arch/alpha/config.in
292 --- linux-2.4.22/arch/alpha/config.in 2003-08-25 13:44:39.000000000 +0200
293 +++ linux-2.4.22-grsec/arch/alpha/config.in 2003-10-09 19:13:26.000000000 +0200
296 source crypto/Config.in
299 +mainmenu_option next_comment
300 +comment 'Grsecurity'
301 +bool 'Grsecurity' CONFIG_GRKERNSEC
302 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
303 + source grsecurity/Config.in
307 diff -urN linux-2.4.22/arch/arm/config.in linux-2.4.22-grsec/arch/arm/config.in
308 --- linux-2.4.22/arch/arm/config.in 2003-08-25 13:44:39.000000000 +0200
309 +++ linux-2.4.22-grsec/arch/arm/config.in 2003-10-09 19:13:26.000000000 +0200
312 source crypto/Config.in
315 +mainmenu_option next_comment
316 +comment 'Grsecurity'
317 +bool 'Grsecurity' CONFIG_GRKERNSEC
318 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
319 + source grsecurity/Config.in
322 diff -urN linux-2.4.22/arch/cris/config.in linux-2.4.22-grsec/arch/cris/config.in
323 --- linux-2.4.22/arch/cris/config.in 2003-08-25 13:44:39.000000000 +0200
324 +++ linux-2.4.22-grsec/arch/cris/config.in 2003-10-09 19:13:26.000000000 +0200
326 source crypto/Config.in
330 +mainmenu_option next_comment
331 +comment 'Grsecurity'
332 +bool 'Grsecurity' CONFIG_GRKERNSEC
333 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
334 + source grsecurity/Config.in
338 diff -urN linux-2.4.22/arch/i386/config.in linux-2.4.22-grsec/arch/i386/config.in
339 --- linux-2.4.22/arch/i386/config.in 2003-10-09 18:47:37.000000000 +0200
340 +++ linux-2.4.22-grsec/arch/i386/config.in 2003-10-09 19:13:26.000000000 +0200
343 source crypto/Config.in
346 +mainmenu_option next_comment
347 +comment 'Grsecurity'
348 +bool 'Grsecurity' CONFIG_GRKERNSEC
349 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
350 + source grsecurity/Config.in
353 diff -urN linux-2.4.22/arch/ia64/config.in linux-2.4.22-grsec/arch/ia64/config.in
354 --- linux-2.4.22/arch/ia64/config.in 2003-08-25 13:44:39.000000000 +0200
355 +++ linux-2.4.22-grsec/arch/ia64/config.in 2003-10-09 19:13:26.000000000 +0200
361 +mainmenu_option next_comment
362 +comment 'Grsecurity'
363 +bool 'Grsecurity' CONFIG_GRKERNSEC
364 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
365 + source grsecurity/Config.in
369 diff -urN linux-2.4.22/arch/m68k/config.in linux-2.4.22-grsec/arch/m68k/config.in
370 --- linux-2.4.22/arch/m68k/config.in 2003-08-25 13:44:39.000000000 +0200
371 +++ linux-2.4.22-grsec/arch/m68k/config.in 2003-10-09 19:13:26.000000000 +0200
374 source crypto/Config.in
377 +mainmenu_option next_comment
378 +comment 'Grsecurity'
379 +bool 'Grsecurity' CONFIG_GRKERNSEC
380 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
381 + source grsecurity/Config.in
384 diff -urN linux-2.4.22/arch/mips/config.in linux-2.4.22-grsec/arch/mips/config.in
385 --- linux-2.4.22/arch/mips/config.in 2002-11-29 00:53:09.000000000 +0100
386 +++ linux-2.4.22-grsec/arch/mips/config.in 2003-10-09 19:13:26.000000000 +0200
388 define_bool CONFIG_MIPS64 n
390 source arch/mips/config-shared.in
392 +mainmenu_option next_comment
393 +comment 'Grsecurity'
394 +bool 'Grsecurity' CONFIG_GRKERNSEC
395 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
396 + source grsecurity/Config.in
399 diff -urN linux-2.4.22/arch/mips64/config.in linux-2.4.22-grsec/arch/mips64/config.in
400 --- linux-2.4.22/arch/mips64/config.in 2002-11-29 00:53:10.000000000 +0100
401 +++ linux-2.4.22-grsec/arch/mips64/config.in 2003-10-09 19:13:26.000000000 +0200
403 define_bool CONFIG_MIPS64 y
405 source arch/mips/config-shared.in
407 +mainmenu_option next_comment
408 +comment 'Grsecurity'
409 +bool 'Grsecurity' CONFIG_GRKERNSEC
410 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
411 + source grsecurity/Config.in
414 diff -urN linux-2.4.22/arch/parisc/config.in linux-2.4.22-grsec/arch/parisc/config.in
415 --- linux-2.4.22/arch/parisc/config.in 2003-08-25 13:44:40.000000000 +0200
416 +++ linux-2.4.22-grsec/arch/parisc/config.in 2003-10-09 19:13:26.000000000 +0200
419 source crypto/Config.in
422 +mainmenu_option next_comment
423 +comment 'Grsecurity'
424 +bool 'Grsecurity' CONFIG_GRKERNSEC
425 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
426 + source grsecurity/Config.in
429 diff -urN linux-2.4.22/arch/parisc/kernel/sys_parisc32.c linux-2.4.22/arch/parisc/kernel/sys_parisc32.c
430 --- linux-2.4.22/arch/parisc/kernel/sys_parisc32.c 2003-09-01 22:19:44.000000000 -0400
431 +++ linux-2.4.22/arch/parisc/kernel/sys_parisc32.c 2003-09-02 19:29:41.000000000 -0400
433 #include <linux/highmem.h>
434 #include <linux/highuid.h>
435 #include <linux/mman.h>
436 +#include <linux/grsecurity.h>
438 #include <asm/types.h>
439 #include <asm/uaccess.h>
444 +#ifdef CONFIG_GRKERNSEC
445 + struct file *old_exec_file;
448 file = open_exec(filename);
454 +#ifdef CONFIG_GRKERNSEC
455 + if (!gr_tpe_allow(file)) {
461 retval = copy_strings_kernel(1, &bprm.filename, &bprm);
464 @@ -222,11 +260,26 @@
468 +#ifdef CONFIG_GRKERNSEC
469 + old_exec_file = current->exec_file;
471 + current->exec_file = file;
474 retval = search_binary_handler(&bprm,regs);
477 +#ifdef CONFIG_GRKERNSEC
479 + fput(old_exec_file);
485 +#ifdef CONFIG_GRKERNSEC
486 + fput(current->exec_file);
487 + current->exec_file = old_exec_file;
490 /* Something went wrong, return the inode and free the argument pages*/
491 allow_write_access(bprm.file);
492 diff -urN linux-2.4.22/arch/ppc/config.in linux-2.4.22-grsec/arch/ppc/config.in
493 --- linux-2.4.22/arch/ppc/config.in 2003-08-25 13:44:40.000000000 +0200
494 +++ linux-2.4.22-grsec/arch/ppc/config.in 2003-10-09 19:13:26.000000000 +0200
496 bool 'Support for early boot texts over serial port' CONFIG_SERIAL_TEXT_DEBUG
500 +mainmenu_option next_comment
501 +comment 'Grsecurity'
502 +bool 'Grsecurity' CONFIG_GRKERNSEC
503 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
504 + source grsecurity/Config.in
508 diff -urN linux-2.4.22/arch/s390/config.in linux-2.4.22-grsec/arch/s390/config.in
509 --- linux-2.4.22/arch/s390/config.in 2003-08-25 13:44:40.000000000 +0200
510 +++ linux-2.4.22-grsec/arch/s390/config.in 2003-10-09 19:13:26.000000000 +0200
513 source crypto/Config.in
516 +mainmenu_option next_comment
517 +comment 'Grsecurity'
518 +bool 'Grsecurity' CONFIG_GRKERNSEC
519 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
520 + source grsecurity/Config.in
523 diff -urN linux-2.4.22/arch/s390x/config.in linux-2.4.22-grsec/arch/s390x/config.in
524 --- linux-2.4.22/arch/s390x/config.in 2003-08-25 13:44:40.000000000 +0200
525 +++ linux-2.4.22-grsec/arch/s390x/config.in 2003-10-09 19:13:26.000000000 +0200
528 source crypto/Config.in
531 +mainmenu_option next_comment
532 +comment 'Grsecurity'
533 +bool 'Grsecurity' CONFIG_GRKERNSEC
534 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
535 + source grsecurity/Config.in
538 diff -urN linux-2.4.22/arch/sh/config.in linux-2.4.22-grsec/arch/sh/config.in
539 --- linux-2.4.22/arch/sh/config.in 2003-08-25 13:44:40.000000000 +0200
540 +++ linux-2.4.22-grsec/arch/sh/config.in 2003-10-09 19:13:26.000000000 +0200
543 source crypto/Config.in
546 +mainmenu_option next_comment
547 +comment 'Grsecurity'
548 +bool 'Grsecurity' CONFIG_GRKERNSEC
549 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
550 + source grsecurity/Config.in
553 diff -urN linux-2.4.22/arch/sparc/boot/Makefile linux-2.4.22-grsec/arch/sparc/boot/Makefile
554 --- linux-2.4.22/arch/sparc/boot/Makefile 2002-08-03 02:39:43.000000000 +0200
555 +++ linux-2.4.22-grsec/arch/sparc/boot/Makefile 2003-10-09 19:13:26.000000000 +0200
558 BTOBJS := $(HEAD) init/main.o init/version.o init/do_mounts.o
559 BTLIBS := $(CORE_FILES_NO_BTFIX) $(FILESYSTEMS) \
560 - $(DRIVERS) $(NETWORKS)
561 + $(DRIVERS) $(NETWORKS) $(GRSECURITY)
563 # I wanted to make this depend upon BTOBJS so that a parallel
564 # build would work, but this fails because $(HEAD) cannot work
565 diff -urN linux-2.4.22/arch/sparc/config.in linux-2.4.22-grsec/arch/sparc/config.in
566 --- linux-2.4.22/arch/sparc/config.in 2003-08-25 13:44:40.000000000 +0200
567 +++ linux-2.4.22-grsec/arch/sparc/config.in 2003-10-09 19:13:26.000000000 +0200
570 source crypto/Config.in
573 +mainmenu_option next_comment
574 +comment 'Grsecurity'
575 +bool 'Grsecurity' CONFIG_GRKERNSEC
576 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
577 + source grsecurity/Config.in
580 diff -urN linux-2.4.22/arch/sparc64/config.in linux-2.4.22-grsec/arch/sparc64/config.in
581 --- linux-2.4.22/arch/sparc64/config.in 2003-10-09 18:47:24.000000000 +0200
582 +++ linux-2.4.22-grsec/arch/sparc64/config.in 2003-10-09 19:13:26.000000000 +0200
585 source crypto/Config.in
588 +mainmenu_option next_comment
589 +comment 'Grsecurity'
590 +bool 'Grsecurity' CONFIG_GRKERNSEC
591 +if [ "$CONFIG_GRKERNSEC" = "y" ]; then
592 + source grsecurity/Config.in
595 diff -urN linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c
596 --- linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c 2003-09-01 22:19:37.000000000 -0400
597 +++ linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c 2003-09-02 19:29:41.000000000 -0400
599 #include <linux/sysctl.h>
600 #include <linux/dnotify.h>
601 #include <linux/netfilter_ipv4/ip_tables.h>
602 +#include <linux/random.h>
603 +#include <linux/grsecurity.h>
605 #include <asm/types.h>
607 @@ -3233,6 +3235,9 @@
611 +#ifdef CONFIG_GRKERNSEC
612 + struct file *old_exec_file;
615 bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
616 memset(bprm.page, 0, MAX_ARG_PAGES * sizeof(bprm.page[0]));
617 @@ -3263,6 +3289,13 @@
621 +#ifdef CONFIG_GRKERNSEC
622 + if(!gr_tpe_allow(file)) {
628 retval = copy_strings_kernel(1, &bprm.filename, &bprm);
631 @@ -3276,11 +3315,26 @@
635 +#ifdef CONFIG_GRKERNSEC
636 + old_exec_file = current->exec_file;
638 + current->exec_file = file;
641 retval = search_binary_handler(&bprm, regs);
644 +#ifdef CONFIG_GRKERNSEC
646 + fput(old_exec_file);
652 +#ifdef CONFIG_GRKERNSEC
653 + fput(current->exec_file);
654 + current->exec_file = old_exec_file;
657 /* Something went wrong, return the inode and free the argument pages*/
658 allow_write_access(bprm.file);
659 diff -urN linux-2.4.22/fs/exec.c linux-2.4.22-grsec/fs/exec.c
660 --- linux-2.4.22/fs/exec.c 2003-10-09 18:47:38.000000000 +0200
661 +++ linux-2.4.22-grsec/fs/exec.c 2003-10-09 19:13:26.000000000 +0200
663 #include <asm/uaccess.h>
664 #include <asm/pgalloc.h>
665 #include <asm/mmu_context.h>
666 +#include <linux/major.h>
667 +#include <linux/random.h>
668 +#include <linux/grsecurity.h>
671 #include <linux/kmod.h>
673 current->suid = current->euid = current->fsuid = bprm->e_uid;
674 current->sgid = current->egid = current->fsgid = bprm->e_gid;
676 +#ifdef CONFIG_GRKERNSEC
677 + gr_handle_chroot_caps(current);
682 current->keep_capabilities = 0;
687 +#ifdef CONFIG_GRKERNSEC
688 + struct file *old_exec_file;
691 file = open_exec(filename);
697 +#ifdef CONFIG_GRKERNSEC
698 + if (!gr_tpe_allow(file)) {
704 retval = copy_strings_kernel(1, &bprm.filename, &bprm);
712 +#ifdef CONFIG_GRKERNSEC
713 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
716 retval = copy_strings(bprm.envc, envp, &bprm);
719 @@ -951,11 +1027,26 @@
723 +#ifdef CONFIG_GRKERNSEC
724 + old_exec_file = current->exec_file;
726 + current->exec_file = file;
729 retval = search_binary_handler(&bprm,regs);
732 +#ifdef CONFIG_GRKERNSEC
734 + fput(old_exec_file);
740 +#ifdef CONFIG_GRKERNSEC
741 + fput(current->exec_file);
742 + current->exec_file = old_exec_file;
745 /* Something went wrong, return the inode and free the argument pages*/
746 allow_write_access(bprm.file);
747 diff -urN linux-2.4.22/fs/fcntl.c linux-2.4.22-grsec/fs/fcntl.c
748 --- linux-2.4.22/fs/fcntl.c 2002-11-29 00:53:15.000000000 +0100
749 +++ linux-2.4.22-grsec/fs/fcntl.c 2003-10-09 19:13:26.000000000 +0200
751 #include <linux/smp_lock.h>
752 #include <linux/slab.h>
753 #include <linux/iobuf.h>
754 +#include <linux/grsecurity.h>
756 #include <asm/poll.h>
757 #include <asm/siginfo.h>
762 +#ifdef CONFIG_GRKERNSEC
763 + if (gr_pid_is_chrooted(p))
766 send_sigio_to_task(p, fown, fd, band);
769 diff -urN linux-2.4.22/fs/namei.c linux-2.4.22-grsec/fs/namei.c
770 --- linux-2.4.22/fs/namei.c 2003-10-09 18:47:32.000000000 +0200
771 +++ linux-2.4.22-grsec/fs/namei.c 2003-10-09 19:13:26.000000000 +0200
773 #include <linux/dnotify.h>
774 #include <linux/smp_lock.h>
775 #include <linux/personality.h>
776 +#include <linux/grsecurity.h>
778 #include <asm/namei.h>
779 #include <asm/uaccess.h>
780 @@ -1284,6 +1285,14 @@
781 if (!IS_POSIXACL(nd.dentry->d_inode))
782 mode &= ~current->fs->umask;
783 if (!IS_ERR(dentry)) {
784 +#ifdef CONFIG_GRKERNSEC
785 + if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
792 switch (mode & S_IFMT) {
793 case 0: case S_IFREG:
794 error = vfs_create(nd.dentry->d_inode,dentry,mode);
795 @@ -1295,6 +1370,7 @@
800 up(&nd.dentry->d_inode->i_sem);
803 diff -urN linux-2.4.22/fs/namespace.c linux-2.4.22-grsec/fs/namespace.c
804 --- linux-2.4.22/fs/namespace.c 2003-06-13 16:51:37.000000000 +0200
805 +++ linux-2.4.22-grsec/fs/namespace.c 2003-10-09 19:13:26.000000000 +0200
807 #include <linux/quotaops.h>
808 #include <linux/acct.h>
809 #include <linux/module.h>
810 +#include <linux/sched.h>
811 +#include <linux/grsecurity.h>
813 #include <asm/uaccess.h>
819 +#ifdef CONFIG_GRKERNSEC
820 + if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
827 if (flags & MS_REMOUNT)
828 retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
831 if (!capable(CAP_SYS_ADMIN))
834 +#ifdef CONFIG_GRKERNSEC
835 + if (gr_handle_chroot_pivot())
841 error = __user_walk(new_root, LOOKUP_POSITIVE|LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd);
842 diff -urN linux-2.4.22/fs/open.c linux-2.4.22-grsec/fs/open.c
843 --- linux-2.4.22/fs/open.c 2003-08-25 13:44:43.000000000 +0200
844 +++ linux-2.4.22-grsec/fs/open.c 2003-10-09 19:13:26.000000000 +0200
846 #include <linux/slab.h>
847 #include <linux/tty.h>
848 #include <linux/iobuf.h>
849 +#include <linux/grsecurity.h>
851 #include <asm/uaccess.h>
856 error = permission(inode, MAY_EXEC);
858 +#ifdef CONFIG_GRKERNSEC
859 + if (!error && !gr_chroot_fchdir(dentry, mnt))
864 set_fs_pwd(current->fs, mnt, dentry);
867 if (!capable(CAP_SYS_CHROOT))
870 +#ifdef CONFIG_GRKERNSEC
871 + if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
875 set_fs_root(current->fs, nd.mnt, nd.dentry);
878 +#ifdef CONFIG_GRKERNSEC
879 + gr_handle_chroot_caps(current);
881 + gr_handle_chroot_chdir(nd.dentry, nd.mnt);
889 if (mode == (mode_t) -1)
890 mode = inode->i_mode;
892 +#ifdef CONFIG_GRKERNSEC
893 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
899 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
900 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
901 err = notify_change(dentry, &newattrs);
904 if (mode == (mode_t) -1)
905 mode = inode->i_mode;
907 +#ifdef CONFIG_GRKERNSEC
908 + if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
914 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
915 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
916 error = notify_change(nd.dentry, &newattrs);
917 diff -urN linux-2.4.22/fs/proc/array.c linux-2.4.22-grsec/fs/proc/array.c
918 --- linux-2.4.22/fs/proc/array.c 2003-10-09 18:46:57.000000000 +0200
919 +++ linux-2.4.22-grsec/fs/proc/array.c 2003-10-09 19:13:26.000000000 +0200
924 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
925 +int proc_pid_ipaddr(struct task_struct *task, char * buffer)
929 + len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip));
935 int proc_pid_cpu(struct task_struct *task, char * buffer)
937 diff -urN linux-2.4.22/fs/proc/base.c linux-2.4.22-grsec/fs/proc/base.c
938 --- linux-2.4.22/fs/proc/base.c 2003-08-25 13:44:43.000000000 +0200
939 +++ linux-2.4.22-grsec/fs/proc/base.c 2003-10-09 19:13:26.000000000 +0200
941 #include <linux/string.h>
942 #include <linux/seq_file.h>
943 #include <linux/namespace.h>
944 +#include <linux/grsecurity.h>
947 * For hysterical raisins we keep the same inumbers as in the old procfs.
949 int proc_pid_status(struct task_struct*,char*);
950 int proc_pid_statm(struct task_struct*,char*);
951 int proc_pid_cpu(struct task_struct*,char*);
952 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
953 +int proc_pid_ipaddr(struct task_struct*,char*);
956 static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
962 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
966 PROC_PID_FD_DIR = 0x8000, /* 0x8000-0xffff */
970 E(PROC_PID_CPU, "cpu", S_IFREG|S_IRUGO),
972 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
973 + E(PROC_PID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
975 E(PROC_PID_MAPS, "maps", S_IFREG|S_IRUGO),
976 E(PROC_PID_MEM, "mem", S_IFREG|S_IRUSR|S_IWUSR),
977 E(PROC_PID_CWD, "cwd", S_IFLNK|S_IRWXUGO),
979 inode->u.proc_i.op.proc_read = proc_pid_cpu;
982 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
983 + case PROC_PID_IPADDR:
984 + inode->i_fop = &proc_info_file_operations;
985 + inode->u.proc_i.op.proc_read = proc_pid_ipaddr;
989 inode->i_op = &proc_mem_inode_operations;
990 inode->i_fop = &proc_mem_operations;
991 @@ -1102,6 +1118,10 @@
995 +#ifdef CONFIG_GRKERNSEC
996 + if(gr_pid_is_chrooted(p))
1001 pids[nr_pids] = pid;
1002 diff -urN linux-2.4.22/grsecurity/Config.in linux-2.4.22-grsec/grsecurity/Config.in
1003 --- linux-2.4.22/grsecurity/Config.in 1970-01-01 01:00:00.000000000 +0100
1004 +++ linux-2.4.22-grsec/grsecurity/Config.in 2003-10-09 19:13:26.000000000 +0200
1006 +bool 'Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT
1007 +bool 'Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE
1008 +bool 'Deny pivot_root in chroot' CONFIG_GRKERNSEC_CHROOT_PIVOT
1009 +bool 'Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR
1010 +bool 'Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD
1011 +bool 'Deny fchdir out of chroot' CONFIG_GRKERNSEC_CHROOT_FCHDIR
1012 +bool 'Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD
1013 +bool 'Deny shmat() out of chroot' CONFIG_GRKERNSEC_CHROOT_SHMAT
1014 +bool 'Deny access to abstract AF_UNIX sockets out of chroot' CONFIG_GRKERNSEC_CHROOT_UNIX
1015 +bool 'Protect outside processes' CONFIG_GRKERNSEC_CHROOT_FINDTASK
1016 +bool 'Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE
1017 +bool 'Deny sysctl writes in chroot' CONFIG_GRKERNSEC_CHROOT_SYSCTL
1018 +bool 'Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS
1019 +bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE
1020 +if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then
1021 +bool ' Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL
1022 +int ' GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005
1024 +bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET
1025 +if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then
1026 +bool ' Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL
1027 +if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then
1028 +int ' GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004
1030 +bool ' Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT
1031 +if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then
1032 +int ' GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003
1034 +bool ' Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER
1035 +if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then
1036 +int ' GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002
1039 +bool '/proc/<pid>/ipaddr support' CONFIG_GRKERNSEC_PROC_IPADDR
1040 +int 'Seconds in between log messages (minimum)' CONFIG_GRKERNSEC_FLOODTIME 10
1041 +int 'Number of messages in a burst (maximum)' CONFIG_GRKERNSEC_FLOODBURST 4
1042 +if [ "$CONFIG_SYSCTL" != "n" ]; then
1043 +bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
1045 diff -urN linux-2.4.22/grsecurity/Makefile linux-2.4.22-grsec/grsecurity/Makefile
1046 --- linux-2.4.22/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
1047 +++ linux-2.4.22-grsec/grsecurity/Makefile 2003-10-09 19:19:48.000000000 +0200
1049 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
1050 +# during 2001, 2002, and 2003 it has been completely redesigned by
1053 +# All code in this directory and various hooks inserted throughout the kernel
1054 +# are copyright Brad Spengler, and released under the GPL, unless otherwise
1055 +# noted (as in obsd_rand.c)
1057 +O_TARGET := grsec.o
1059 +obj-$(CONFIG_GRKERNSEC) = grsec_chroot.o grsec_sysctl.o grsec_init.o grsec_sock.o grsec_tpe.o
1061 +include $(TOPDIR)/Rules.make
1062 diff -urN linux-2.4.22/grsecurity/grsec_chroot.c linux-2.4.22-grsec/grsecurity/grsec_chroot.c
1063 --- linux-2.4.22/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
1064 +++ linux-2.4.22-grsec/grsecurity/grsec_chroot.c 2003-10-09 19:13:26.000000000 +0200
1066 +#include <linux/kernel.h>
1067 +#include <linux/sched.h>
1068 +#include <linux/file.h>
1069 +#include <linux/fs.h>
1070 +#include <linux/types.h>
1071 +#include <linux/grinternal.h>
1073 +static __inline__ char *
1074 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
1075 + char *buf, int buflen)
1078 + struct dentry *our_dentry;
1079 + struct vfsmount *our_mount;
1080 + struct vfsmount *rootmnt;
1081 + struct dentry *root;
1083 + our_dentry = (struct dentry *) dentry;
1084 + our_mount = (struct vfsmount *) vfsmnt;
1086 + read_lock(&child_reaper->fs->lock);
1087 + rootmnt = mntget(child_reaper->fs->rootmnt);
1088 + root = dget(child_reaper->fs->root);
1089 + read_unlock(&child_reaper->fs->lock);
1091 + spin_lock(&dcache_lock);
1092 + res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen);
1093 + spin_unlock(&dcache_lock);
1100 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
1102 + return d_real_path(dentry, mnt, gr_shared_page[0][smp_processor_id()],
1107 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
1109 + return d_real_path(dentry, mnt, gr_shared_page[1][smp_processor_id()],
1114 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
1116 + return d_real_path(dentry, mnt, gr_shared_page[2][smp_processor_id()],
1121 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
1123 + return d_real_path(dentry, mnt, gr_shared_page[3][smp_processor_id()],
1128 +gr_handle_chroot_unix(const pid_t pid)
1130 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
1131 + struct task_struct *p, **htable;
1133 + if (unlikely(!grsec_enable_chroot_unix))
1136 + if (likely(!proc_is_chrooted(current)))
1139 + read_lock(&tasklist_lock);
1141 + htable = &pidhash[pid_hashfn(pid)];
1143 + for (p = *htable; p && p->pid != pid; p = p->pidhash_next) ;
1145 + if (unlikely(p && !have_same_root(current, p))) {
1146 + read_unlock(&tasklist_lock);
1147 + gr_security_alert(GR_UNIX_CHROOT_MSG, DEFAULTSECARGS);
1150 + read_unlock(&tasklist_lock);
1156 +gr_handle_chroot_nice(void)
1158 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
1159 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
1160 + gr_security_alert(GR_NICE_CHROOT_MSG, DEFAULTSECARGS);
1168 +gr_handle_chroot_setpriority(const struct task_struct *p, const int niceval)
1170 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
1171 + if (grsec_enable_chroot_nice && (!have_same_root(p, current)
1172 + || (have_same_root(p, current)
1173 + && (niceval < task_nice(p))
1174 + && proc_is_chrooted(current)))) {
1175 + gr_security_alert(GR_PRIORITY_CHROOT_MSG, p->comm, p->pid,
1184 +gr_handle_chroot_capset(const struct task_struct *target)
1186 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
1187 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
1188 + !have_same_root(current, target)) {
1189 + gr_security_alert(GR_CAPSET_CHROOT_MSG, target->comm, target->pid,
1198 +gr_handle_chroot_rawio(const struct inode *inode)
1200 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
1201 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
1202 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
1209 +gr_pid_is_chrooted(const struct task_struct *p)
1211 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
1212 + if (!grsec_enable_chroot_findtask || (current->pid <= 1))
1215 + if (p && p->fs && p->fs->root && p->fs->root->d_inode &&
1216 + child_reaper && child_reaper->fs && child_reaper->fs->root &&
1217 + child_reaper->fs->root->d_inode && current && current->fs &&
1218 + current->fs->root && current->fs->root->d_inode) {
1219 + if (proc_is_chrooted(current) && !have_same_root(current, p))
1227 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
1229 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
1230 + if (!grsec_enable_chroot_fchdir)
1233 + if (!proc_is_chrooted(current))
1236 + struct dentry *dentry = u_dentry;
1237 + struct vfsmount *mnt = u_mnt;
1238 + struct dentry *realroot;
1239 + struct vfsmount *realrootmnt;
1240 + struct dentry *currentroot;
1241 + struct vfsmount *currentmnt;
1243 + read_lock(&child_reaper->fs->lock);
1244 + realrootmnt = mntget(child_reaper->fs->rootmnt);
1245 + realroot = dget(child_reaper->fs->root);
1246 + read_unlock(&child_reaper->fs->lock);
1248 + read_lock(¤t->fs->lock);
1249 + currentmnt = mntget(current->fs->rootmnt);
1250 + currentroot = dget(current->fs->root);
1251 + read_unlock(¤t->fs->lock);
1253 + spin_lock(&dcache_lock);
1256 + ((dentry == realroot && mnt == realrootmnt)
1257 + || (dentry == currentroot && mnt == currentmnt)))
1260 + (dentry == mnt->mnt_root || IS_ROOT(dentry))) {
1261 + if (mnt->mnt_parent == mnt)
1263 + dentry = mnt->mnt_mountpoint;
1264 + mnt = mnt->mnt_parent;
1267 + dentry = dentry->d_parent;
1269 + spin_unlock(&dcache_lock);
1271 + dput(currentroot);
1272 + mntput(currentmnt);
1274 + if (dentry == realroot && mnt == realrootmnt) {
1275 + /* ok, they're definitely trying to fchdir outside of the
1278 + mntput(realrootmnt);
1279 + gr_security_alert(GR_CHROOT_FCHDIR_MSG,
1280 + gr_to_filename(u_dentry, u_mnt),
1285 + mntput(realrootmnt);
1294 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
1295 + const time_t shm_createtime)
1297 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
1298 + struct task_struct *p, **htable;
1300 + if (unlikely(!grsec_enable_chroot_shmat))
1303 + if (likely(!proc_is_chrooted(current)))
1306 + read_lock(&tasklist_lock);
1308 + htable = &pidhash[pid_hashfn(shm_cprid)];
1310 + for (p = *htable; p && p->pid != shm_cprid; p = p->pidhash_next) ;
1312 + if (unlikely(p && !have_same_root(current, p) &&
1313 + (p->start_time < shm_createtime))) {
1314 + read_unlock(&tasklist_lock);
1315 + gr_security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
1319 + if (unlikely(!p)) {
1320 + htable = &pidhash[pid_hashfn(shm_lapid)];
1321 + for (p = *htable; p && p->pid != shm_lapid;
1322 + p = p->pidhash_next) ;
1324 + if (unlikely(p && !have_same_root(current, p))) {
1325 + read_unlock(&tasklist_lock);
1326 + gr_security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
1331 + read_unlock(&tasklist_lock);
1337 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
1339 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
1340 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
1341 + security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt),
1348 +gr_handle_chroot_mknod(const struct dentry *dentry,
1349 + const struct vfsmount *mnt, const int mode)
1351 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
1352 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) &&
1353 + proc_is_chrooted(current)) {
1354 + gr_security_alert(GR_MKNOD_CHROOT_MSG,
1355 + gr_to_filename(dentry, mnt), DEFAULTSECARGS);
1363 +gr_handle_chroot_mount(const struct dentry *dentry,
1364 + const struct vfsmount *mnt, const char *dev_name)
1366 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
1367 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
1368 + gr_security_alert(GR_MOUNT_CHROOT_MSG, dev_name,
1369 + gr_to_filename(dentry, mnt), DEFAULTSECARGS);
1377 +gr_handle_chroot_pivot(void)
1379 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
1380 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
1381 + gr_security_alert(GR_PIVOT_CHROOT_MSG, DEFAULTSECARGS);
1389 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
1391 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
1392 + if (grsec_enable_chroot_double && proc_is_chrooted(current)) {
1393 + gr_security_alert(GR_CHROOT_CHROOT_MSG,
1394 + gr_to_filename(dentry, mnt), DEFAULTSECARGS);
1402 +gr_handle_chroot_caps(struct task_struct *task)
1404 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
1405 + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
1406 + task->cap_permitted =
1407 + cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
1408 + task->cap_inheritable =
1409 + cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
1410 + task->cap_effective =
1411 + cap_drop(task->cap_effective, GR_CHROOT_CAPS);
1418 +gr_handle_chroot_sysctl(const int op)
1420 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
1421 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
1429 +gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
1431 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
1432 + if (grsec_enable_chroot_chdir)
1433 + set_fs_pwd(current->fs, mnt, dentry);
1439 +gr_handle_chroot_chmod(const struct dentry *dentry,
1440 + const struct vfsmount *mnt, const int mode)
1442 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
1443 + if (grsec_enable_chroot_chmod &&
1444 + ((mode & S_ISUID) || (mode & S_ISGID)) &&
1445 + proc_is_chrooted(current)) {
1446 + gr_security_alert(GR_CHMOD_CHROOT_MSG,
1447 + gr_to_filename(dentry, mnt), DEFAULTSECARGS);
1455 +gr_copy_label(struct task_struct *tsk)
1457 + tsk->used_accept = 0;
1458 + tsk->used_connect = 0;
1459 + tsk->curr_ip = current->curr_ip;
1460 + if (current->exec_file)
1461 + get_file(current->exec_file);
1462 + tsk->exec_file = current->exec_file;
1463 + if (unlikely(current->used_accept))
1464 + current->curr_ip = 0;
1468 diff -urN linux-2.4.22/grsecurity/grsec_init.c linux-2.4.22-grsec/grsecurity/grsec_init.c
1469 --- linux-2.4.22/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
1470 +++ linux-2.4.22-grsec/grsecurity/grsec_init.c 2003-10-09 19:16:48.000000000 +0200
1472 +#include <linux/kernel.h>
1473 +#include <linux/sched.h>
1474 +#include <linux/mm.h>
1475 +#include <linux/smp_lock.h>
1476 +#include <linux/slab.h>
1478 +int grsec_enable_chroot_findtask;
1479 +int grsec_enable_chroot_mount;
1480 +int grsec_enable_chroot_shmat;
1481 +int grsec_enable_chroot_fchdir;
1482 +int grsec_enable_chroot_double;
1483 +int grsec_enable_chroot_pivot;
1484 +int grsec_enable_chroot_chdir;
1485 +int grsec_enable_chroot_chmod;
1486 +int grsec_enable_chroot_mknod;
1487 +int grsec_enable_chroot_nice;
1488 +int grsec_enable_chroot_execlog;
1489 +int grsec_enable_chroot_caps;
1490 +int grsec_enable_chroot_sysctl;
1491 +int grsec_enable_chroot_unix;
1492 +int grsec_enable_tpe;
1494 +int grsec_enable_tpe_all;
1495 +int grsec_enable_socket_all;
1496 +int grsec_socket_all_gid;
1497 +int grsec_enable_socket_client;
1498 +int grsec_socket_client_gid;
1499 +int grsec_enable_socket_server;
1500 +int grsec_socket_server_gid;
1503 +spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
1504 +unsigned long grsec_alert_wtime = 0;
1505 +unsigned long grsec_alert_fyet = 0;
1507 +spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED;
1508 +unsigned long grsec_alertgood_wtime = 0;
1509 +unsigned long grsec_alertgood_fyet = 0;
1511 +spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
1513 +char *gr_shared_page[4][NR_CPUS];
1516 +grsecurity_init(void)
1519 + /* create the per-cpu shared pages */
1521 + for (j = 0; j < 4; j++) {
1522 + for (i = 0; i < NR_CPUS; i++) {
1523 + gr_shared_page[j][i] = (char *) get_zeroed_page(GFP_KERNEL);
1524 + if (!gr_shared_page[j][i]) {
1525 + panic("Unable to allocate grsecurity shared page");
1531 +#ifndef CONFIG_GRKERNSEC_SYSCTL
1533 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
1534 + grsec_enable_chroot_findtask = 1;
1536 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
1537 + grsec_enable_chroot_unix = 1;
1539 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
1540 + grsec_enable_chroot_mount = 1;
1542 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
1543 + grsec_enable_chroot_fchdir = 1;
1545 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
1546 + grsec_enable_chroot_shmat = 1;
1548 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
1549 + grsec_enable_chroot_double = 1;
1551 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
1552 + grsec_enable_chroot_pivot = 1;
1554 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
1555 + grsec_enable_chroot_chdir = 1;
1557 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
1558 + grsec_enable_chroot_chmod = 1;
1560 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
1561 + grsec_enable_chroot_mknod = 1;
1563 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
1564 + grsec_enable_chroot_nice = 1;
1566 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
1567 + grsec_enable_chroot_execlog = 1;
1569 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
1570 + grsec_enable_chroot_caps = 1;
1572 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
1573 + grsec_enable_chroot_sysctl = 1;
1575 +#ifdef CONFIG_GRKERNSEC_TPE
1576 + grsec_enable_tpe = 1;
1577 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
1578 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
1579 + grsec_enable_tpe_all = 1;
1582 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
1583 + grsec_enable_socket_all = 1;
1584 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
1586 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
1587 + grsec_enable_socket_client = 1;
1588 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
1590 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
1591 + grsec_enable_socket_server = 1;
1592 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
1598 diff -urN linux-2.4.22/grsecurity/grsec_sock.c linux-2.4.22/grsecurity/grsec_sock.c
1599 --- linux-2.4.22/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
1600 +++ linux-2.4.22/grsecurity/grsec_sock.c 2003-09-02 19:29:42.000000000 -0400
1602 +#include <linux/kernel.h>
1603 +#include <linux/sched.h>
1604 +#include <linux/file.h>
1605 +#include <linux/net.h>
1606 +#include <net/sock.h>
1607 +#include <linux/grsecurity.h>
1608 +#include <linux/grinternal.h>
1611 +gr_attach_curr_ip(const struct sock *sk)
1613 +#ifdef CONFIG_GRKERNSEC
1614 + struct task_struct *p;
1616 + struct inode *inode;
1617 + struct file *filp;
1618 + struct socket *connect_sock;
1620 + if (unlikely(sk->protocol != IPPROTO_TCP))
1623 + read_lock(&tasklist_lock);
1624 + for_each_task(p) {
1625 + if (!p->used_connect)
1628 + if (unlikely(!p->files)) {
1632 + read_lock(&p->files->file_lock);
1633 + for (i = 0; i < p->files->max_fds; i++) {
1634 + filp = fcheck_files(p->files, i);
1635 + if (likely(!filp))
1637 + inode = filp->f_dentry->d_inode;
1638 + if (likely(!inode || !inode->i_sock))
1640 + connect_sock = &inode->u.socket_i;
1641 + if (unlikely(!connect_sock ||
1642 + connect_sock->sk->protocol != IPPROTO_TCP))
1644 + if (unlikely(sk->rcv_saddr == connect_sock->sk->daddr &&
1645 + sk->daddr == connect_sock->sk->rcv_saddr &&
1646 + ntohs(sk->sport) ==
1647 + ntohs(connect_sock->sk->dport)
1648 + && ntohs(sk->dport) ==
1649 + ntohs(connect_sock->sk->sport))) {
1650 + current->curr_ip = p->curr_ip;
1651 + current->used_accept = 1;
1652 + read_unlock(&p->files->file_lock);
1654 + read_unlock(&tasklist_lock);
1658 + read_unlock(&p->files->file_lock);
1661 + read_unlock(&tasklist_lock);
1663 + current->curr_ip = sk->daddr;
1664 + current->used_accept = 1;
1670 +gr_handle_sock_all(const int family, const int type, const int protocol)
1672 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
1673 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
1674 + (family != AF_UNIX) && (family != AF_LOCAL)) {
1675 + gr_security_alert(GR_SOCK_MSG, family, type, protocol,
1684 +gr_handle_sock_server(const struct sockaddr *sck)
1686 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
1687 + if (grsec_enable_socket_server &&
1688 + in_group_p(grsec_socket_server_gid) &&
1689 + sck && (sck->sa_family != AF_UNIX) &&
1690 + (sck->sa_family != AF_LOCAL)) {
1691 + gr_security_alert(GR_BIND_MSG, DEFAULTSECARGS);
1699 +gr_handle_sock_client(const struct sockaddr *sck)
1701 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
1702 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
1703 + sck && (sck->sa_family != AF_UNIX) &&
1704 + (sck->sa_family != AF_LOCAL)) {
1705 + gr_security_alert(GR_CONNECT_MSG, DEFAULTSECARGS);
1711 diff -urN linux-2.4.22/grsecurity/grsec_sysctl.c linux-2.4.22-grsec/grsecurity/grsec_sysctl.c
1712 --- linux-2.4.22/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
1713 +++ linux-2.4.22-grsec/grsecurity/grsec_sysctl.c 2003-10-09 19:13:26.000000000 +0200
1715 +#include <linux/kernel.h>
1716 +#include <linux/sched.h>
1717 +#include <linux/sysctl.h>
1718 +#include <linux/grinternal.h>
1721 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
1723 +#ifdef CONFIG_GRKERNSEC_SYSCTL
1724 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
1725 + gr_security_alert(GR_SYSCTL_MSG, name, DEFAULTSECARGS);
1731 diff -urN linux-2.4.22/grsecurity/grsec_tpe.c linux-2.4.22/grsecurity/grsec_tpe.c
1732 --- linux-2.4.22/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
1733 +++ linux-2.4.22/grsecurity/grsec_tpe.c 2003-09-02 19:29:42.000000000 -0400
1735 +#include <linux/kernel.h>
1736 +#include <linux/sched.h>
1737 +#include <linux/file.h>
1738 +#include <linux/fs.h>
1739 +#include <linux/grinternal.h>
1742 +gr_tpe_allow(const struct file *file)
1744 +#ifdef CONFIG_GRKERNSEC
1745 + struct inode *inode = file->f_dentry->d_parent->d_inode;
1747 + if (current->uid && ((grsec_enable_tpe && in_group_p(grsec_tpe_gid))) &&
1748 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
1749 + (inode->i_mode & S_IWOTH))))) {
1750 + gr_security_alert(GR_EXEC_TPE_MSG,
1751 + gr_to_filename(file->f_dentry, file->f_vfsmnt),
1755 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
1756 + if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
1757 + ((inode->i_uid && (inode->i_uid != current->uid)) ||
1758 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
1759 + gr_security_alert(GR_EXEC_TPE_MSG,
1760 + gr_to_filename(file->f_dentry, file->f_vfsmnt),
1768 diff -urN linux-2.4.22/include/linux/grinternal.h linux-2.4.22-grsec/include/linux/grinternal.h
1769 --- linux-2.4.22/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
1770 +++ linux-2.4.22-grsec/include/linux/grinternal.h 2003-10-09 19:13:26.000000000 +0200
1772 +#ifndef __GRINTERNAL_H
1773 +#define __GRINTERNAL_H
1775 +#ifdef CONFIG_GRKERNSEC
1777 +#include <linux/grmsg.h>
1779 +extern char *gr_shared_page[4][NR_CPUS];
1781 +extern char *gr_to_filename(const struct dentry *dentry,
1782 + const struct vfsmount *mnt);
1783 +extern char *gr_to_filename1(const struct dentry *dentry,
1784 + const struct vfsmount *mnt);
1785 +extern char *gr_to_filename2(const struct dentry *dentry,
1786 + const struct vfsmount *mnt);
1787 +extern char *gr_to_filename3(const struct dentry *dentry,
1788 + const struct vfsmount *mnt);
1790 +extern int grsec_enable_chroot_shmat;
1791 +extern int grsec_enable_chroot_findtask;
1792 +extern int grsec_enable_chroot_mount;
1793 +extern int grsec_enable_chroot_double;
1794 +extern int grsec_enable_chroot_pivot;
1795 +extern int grsec_enable_chroot_chdir;
1796 +extern int grsec_enable_chroot_chmod;
1797 +extern int grsec_enable_chroot_mknod;
1798 +extern int grsec_enable_chroot_fchdir;
1799 +extern int grsec_enable_chroot_nice;
1800 +extern int grsec_enable_chroot_execlog;
1801 +extern int grsec_enable_chroot_caps;
1802 +extern int grsec_enable_chroot_sysctl;
1803 +extern int grsec_enable_chroot_unix;
1804 +extern int grsec_enable_tpe;
1805 +extern int grsec_tpe_gid;
1806 +extern int grsec_enable_tpe_all;
1807 +extern int grsec_enable_socket_all;
1808 +extern int grsec_socket_all_gid;
1809 +extern int grsec_enable_socket_client;
1810 +extern int grsec_socket_client_gid;
1811 +extern int grsec_enable_socket_server;
1812 +extern int grsec_socket_server_gid;
1813 +extern int grsec_lock;
1815 +extern struct task_struct *child_reaper;
1817 +extern spinlock_t grsec_alert_lock;
1818 +extern unsigned long grsec_alert_wtime;
1819 +extern unsigned long grsec_alert_fyet;
1821 +extern spinlock_t grsec_alertgood_lock;
1822 +extern unsigned long grsec_alertgood_wtime;
1823 +extern unsigned long grsec_alertgood_fyet;
1825 +extern spinlock_t grsec_audit_lock;
1827 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
1828 + gr_to_filename2(tsk->exec_file->f_dentry, \
1829 + tsk->exec_file->f_vfsmnt) : "/")
1831 +#define gr_parent_task_fullpath(tsk) (tsk->p_pptr->exec_file ? \
1832 + gr_to_filename3(tsk->p_pptr->exec_file->f_dentry, \
1833 + tsk->p_pptr->exec_file->f_vfsmnt) : "/")
1835 +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && \
1836 + ((tsk_a->fs->root->d_inode->i_dev != \
1837 + child_reaper->fs->root->d_inode->i_dev) || \
1838 + (tsk_a->fs->root->d_inode->i_ino != \
1839 + child_reaper->fs->root->d_inode->i_ino)))
1841 +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \
1842 + tsk_b->fs->root->d_inode->i_dev) && \
1843 + (tsk_a->fs->root->d_inode->i_ino == \
1844 + tsk_b->fs->root->d_inode->i_ino))
1846 +#define DEFAULTSECARGS gr_task_fullpath(current), current->comm, \
1847 + current->pid, current->uid, \
1848 + current->euid, current->gid, current->egid, \
1849 + gr_parent_task_fullpath(current), \
1850 + current->p_pptr->comm, current->p_pptr->pid, \
1851 + current->p_pptr->uid, current->p_pptr->euid, \
1852 + current->p_pptr->gid, current->p_pptr->egid
1854 +#define GR_CHROOT_CAPS ( \
1855 + CAP_TO_MASK(CAP_FOWNER) | \
1856 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
1857 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
1858 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
1859 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
1860 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
1861 + CAP_TO_MASK(CAP_IPC_OWNER))
1863 +#define gr_security_alert(normal_msg,args...) \
1865 + spin_lock(&grsec_alert_lock); \
1867 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \
1868 + grsec_alert_wtime = jiffies; grsec_alert_fyet = 0; \
1869 + if (current->curr_ip) \
1870 + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
1872 + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
1873 + } else if((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \
1874 + grsec_alert_fyet++; \
1875 + if (current->curr_ip) \
1876 + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
1878 + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
1879 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \
1880 + grsec_alert_wtime = jiffies; grsec_alert_fyet++; \
1881 + printk(KERN_ALERT "grsec: more alerts, logging disabled for " \
1882 + "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \
1885 + spin_unlock(&grsec_alert_lock); \
1888 +#define security_audit(normal_msg,args...) \
1890 + spin_lock(&grsec_audit_lock); \
1891 + if (current->curr_ip) \
1892 + printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \
1893 + NIPQUAD(current->curr_ip) , ## args); \
1895 + printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \
1896 + spin_unlock(&grsec_audit_lock); \
1902 diff -urN linux-2.4.22/include/linux/grmsg.h linux-2.4.22-grsec/include/linux/grmsg.h
1903 --- linux-2.4.22/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
1904 +++ linux-2.4.22-grsec/include/linux/grmsg.h 2003-10-09 19:13:26.000000000 +0200
1906 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d, parent %.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d"
1907 +#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG
1908 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG
1909 +#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG
1910 +#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG
1911 +#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG
1912 +#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG
1913 +#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG
1914 +#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG
1915 +#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG
1916 +#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG
1917 +#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG
1918 +#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG
1919 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG
1920 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG
1921 +#define GR_SOCK_MSG "attempted socket(%d,%d,%d) by " DEFAULTSECMSG
1922 +#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG
1923 +#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG
1924 diff -urN linux-2.4.22/include/linux/grsecurity.h linux-2.4.22-grsec/include/linux/grsecurity.h
1925 --- linux-2.4.22/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
1926 +++ linux-2.4.22-grsec/include/linux/grsecurity.h 2003-10-09 19:13:26.000000000 +0200
1928 +#ifndef GR_SECURITY_H
1929 +#define GR_SECURITY_H
1931 +extern int gr_pid_is_chrooted(const struct task_struct *p);
1932 +extern int gr_handle_chroot_nice(void);
1933 +extern int gr_handle_chroot_sysctl(const int op);
1934 +extern int gr_handle_chroot_capset(const struct task_struct *target);
1935 +extern int gr_handle_chroot_setpriority(const struct task_struct *p,
1936 + const int niceval);
1937 +extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
1938 +extern int gr_handle_chroot_chroot(const struct dentry *dentry,
1939 + const struct vfsmount *mnt);
1940 +extern void gr_handle_chroot_caps(struct task_struct *task);
1941 +extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
1942 +extern int gr_handle_chroot_chmod(const struct dentry *dentry,
1943 + const struct vfsmount *mnt, const int mode);
1944 +extern int gr_handle_chroot_mknod(const struct dentry *dentry,
1945 + const struct vfsmount *mnt, const int mode);
1946 +extern int gr_handle_chroot_mount(const struct dentry *dentry,
1947 + const struct vfsmount *mnt,
1948 + const char *dev_name);
1949 +extern int gr_handle_chroot_pivot(void);
1950 +extern int gr_handle_chroot_unix(const pid_t pid);
1952 +extern void gr_log_chroot_exec(const struct dentry *dentry,
1953 + const struct vfsmount *mnt);
1955 +extern void gr_copy_label(struct task_struct *tsk);
1957 +extern int gr_tpe_allow(const struct file *file);
1960 diff -urN linux-2.4.22/include/linux/sched.h linux-2.4.22-grsec/include/linux/sched.h
1961 --- linux-2.4.22/include/linux/sched.h 2003-10-09 18:47:38.000000000 +0200
1962 +++ linux-2.4.22-grsec/include/linux/sched.h 2003-10-09 19:13:26.000000000 +0200
1964 #include <linux/securebits.h>
1965 #include <linux/fs_struct.h>
1967 +extern int gr_pid_is_chrooted(const struct task_struct *p);
1972 @@ -415,6 +432,13 @@
1974 /* journalling filesystem info */
1977 +#ifdef CONFIG_GRKERNSEC
1978 + struct file *exec_file;
1981 + u8 used_connect:1;
1986 @@ -556,6 +595,10 @@
1987 for(p = *htable; p && p->pid != pid; p = p->pidhash_next)
1990 +#ifdef CONFIG_GRKERNSEC
1991 + if(gr_pid_is_chrooted(p)) p = NULL;
1997 @@ -583,6 +585,10 @@
1998 for(p = *htable; p && p->pid != pid; p = p->pidhash_next)
2001 +#ifdef CONFIG_GRKERNSEC
2002 + if(gr_pid_is_chrooted(p)) p = NULL;
2008 diff -urN linux-2.4.22/include/linux/sysctl.h linux-2.4.22-grsec/include/linux/sysctl.h
2009 --- linux-2.4.22/include/linux/sysctl.h 2003-10-09 18:47:24.000000000 +0200
2010 +++ linux-2.4.22-grsec/include/linux/sysctl.h 2003-10-09 19:13:26.000000000 +0200
2012 KERN_CORE_PATTERN=56, /* string: pattern for core-files */
2013 KERN_PPC_L3CR=57, /* l3cr register on PPC */
2014 KERN_EXCEPTION_TRACE=58, /* boolean: exception trace */
2015 + KERN_GRSECURITY=68, /* grsecurity */
2019 diff -urN linux-2.4.22/init/main.c linux-2.4.22-grsec/init/main.c
2020 --- linux-2.4.22/init/main.c 2003-10-09 18:47:32.000000000 +0200
2021 +++ linux-2.4.22-grsec/init/main.c 2003-10-09 19:13:26.000000000 +0200
2023 #include <linux/iobuf.h>
2024 #include <linux/bootmem.h>
2025 #include <linux/tty.h>
2026 +#include <linux/grsecurity.h>
2029 #include <asm/bugs.h>
2031 extern void ipc_init(void);
2034 +extern void grsecurity_init(void);
2037 * Boot command-line arguments
2042 prepare_namespace();
2043 +#ifdef CONFIG_GRKERNSEC
2044 + grsecurity_init();
2048 * Ok, we have completed the initial bootup, and
2049 diff -urN linux-2.4.22/ipc/shm.c linux-2.4.22-grsec/ipc/shm.c
2050 --- linux-2.4.22/ipc/shm.c 2002-08-03 02:39:46.000000000 +0200
2051 +++ linux-2.4.22-grsec/ipc/shm.c 2003-10-09 19:13:26.000000000 +0200
2053 #include <linux/mman.h>
2054 #include <linux/proc_fs.h>
2055 #include <asm/uaccess.h>
2056 +#include <linux/grsecurity.h>
2065 +#ifdef CONFIG_GRKERNSEC
2066 + time_t shm_createtime;
2071 +#ifdef CONFIG_GRKERNSEC
2072 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
2073 + const time_t shm_createtime);
2076 #define shm_flags shm_perm.mode
2078 static struct file_operations shm_file_operations;
2081 shp->shm_atim = shp->shm_dtim = 0;
2082 shp->shm_ctim = CURRENT_TIME;
2083 +#ifdef CONFIG_GRKERNSEC
2084 + shp->shm_createtime = CURRENT_TIME;
2086 shp->shm_segsz = size;
2087 shp->shm_nattch = 0;
2088 shp->id = shm_buildid(id,shp->shm_perm.seq);
2089 @@ -622,9 +636,22 @@
2094 +#ifdef CONFIG_GRKERNSEC
2095 + if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
2096 + shm_unlock(shmid);
2101 file = shp->shm_file;
2102 size = file->f_dentry->d_inode->i_size;
2105 +#ifdef CONFIG_GRKERNSEC
2106 + shp->shm_lapid = current->pid;
2111 down_write(¤t->mm->mmap_sem);
2112 diff -urN linux-2.4.22/kernel/capability.c linux-2.4.22-grsec/kernel/capability.c
2113 --- linux-2.4.22/kernel/capability.c 2003-10-09 18:46:57.000000000 +0200
2114 +++ linux-2.4.22-grsec/kernel/capability.c 2003-10-09 19:13:26.000000000 +0200
2117 #include <linux/mm.h>
2118 #include <asm/uaccess.h>
2119 +#include <linux/grsecurity.h>
2121 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
2123 @@ -170,6 +171,12 @@
2127 +#ifdef CONFIG_GRKERNSEC
2128 + if (gr_handle_chroot_capset(target)) {
2134 /* verify restrictions on target's new Inheritable set */
2135 if (!cap_issubset(inheritable,
2136 diff -urN linux-2.4.22/kernel/exit.c linux-2.4.22/kernel/exit.c
2137 --- linux-2.4.22/kernel/exit.c 2003-09-01 22:19:01.000000000 -0400
2138 +++ linux-2.4.22/kernel/exit.c 2003-09-02 19:29:42.000000000 -0400
2140 #ifdef CONFIG_BSD_PROCESS_ACCT
2141 #include <linux/acct.h>
2143 +#include <linux/file.h>
2144 +#include <linux/grsecurity.h>
2146 #include <asm/uaccess.h>
2147 #include <asm/pgtable.h>
2148 @@ -165,6 +165,13 @@
2150 write_lock_irq(&tasklist_lock);
2152 +#ifdef CONFIG_GRKERNSEC
2153 + if (current->exec_file) {
2154 + fput(current->exec_file);
2155 + current->exec_file = NULL;
2159 /* Reparent to init */
2160 REMOVE_LINKS(current);
2161 current->p_pptr = child_reaper;
2162 diff -urN linux-2.4.22/kernel/fork.c linux-2.4.22/kernel/fork.c
2163 --- linux-2.4.22/kernel/fork.c 2003-09-01 22:19:01.000000000 -0400
2164 +++ linux-2.4.22/kernel/fork.c 2003-09-02 19:29:42.000000000 -0400
2166 #include <linux/namespace.h>
2167 #include <linux/personality.h>
2168 #include <linux/compiler.h>
2169 +#include <linux/grsecurity.h>
2171 #include <asm/pgtable.h>
2172 #include <asm/pgalloc.h>
2174 retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
2176 goto bad_fork_cleanup_namespace;
2177 +#ifdef CONFIG_GRKERNSEC
2182 /* Our parent execution domain becomes current domain
2183 diff -urN linux-2.4.22/kernel/ksyms.c linux-2.4.22-grsec/kernel/ksyms.c
2184 --- linux-2.4.22/kernel/ksyms.c 2003-10-09 18:47:35.000000000 +0200
2185 +++ linux-2.4.22-grsec/kernel/ksyms.c 2003-10-09 19:13:26.000000000 +0200
2187 #include <linux/seq_file.h>
2188 #include <linux/dnotify.h>
2189 #include <linux/crc32.h>
2190 +#include <linux/grsecurity.h>
2191 #include <asm/checksum.h>
2193 #if defined(CONFIG_PROC_FS)
2195 /* To match ksyms with System.map */
2196 extern const char _end[];
2197 EXPORT_SYMBOL(_end);
2200 +#ifdef CONFIG_GRKERNSEC
2201 +EXPORT_SYMBOL(gr_pid_is_chrooted);
2203 diff -urN linux-2.4.22/kernel/sched.c linux-2.4.22-grsec/kernel/sched.c
2204 --- linux-2.4.22/kernel/sched.c 2003-10-09 18:47:25.000000000 +0200
2205 +++ linux-2.4.22-grsec/kernel/sched.c 2003-10-09 19:13:26.000000000 +0200
2207 #include <linux/nmi.h>
2208 #include <linux/interrupt.h>
2209 #include <linux/init.h>
2210 +#include <linux/file.h>
2211 #include <asm/uaccess.h>
2212 #include <linux/smp_lock.h>
2213 #include <asm/mmu_context.h>
2214 #include <linux/kernel_stat.h>
2215 #include <linux/completion.h>
2216 +#include <linux/grsecurity.h>
2219 * Convert user-nice values [ -20 ... 0 ... 19 ]
2220 @@ -1192,6 +1194,11 @@
2222 if (increment < -40)
2225 +#ifdef CONFIG_GRKERNSEC
2226 + if (gr_handle_chroot_nice())
2232 diff -urN linux-2.4.22/kernel/sys.c linux-2.4.22-grsec/kernel/sys.c
2233 --- linux-2.4.22/kernel/sys.c 2003-10-09 18:46:57.000000000 +0200
2234 +++ linux-2.4.22-grsec/kernel/sys.c 2003-10-09 19:13:26.000000000 +0200
2236 * Copyright (C) 1991, 1992 Linus Torvalds
2239 +#include <linux/config.h>
2240 #include <linux/module.h>
2241 #include <linux/mm.h>
2242 #include <linux/utsname.h>
2244 #include <linux/prctl.h>
2245 #include <linux/init.h>
2246 #include <linux/highuid.h>
2247 +#include <linux/grsecurity.h>
2249 #include <asm/uaccess.h>
2251 @@ -239,6 +241,14 @@
2253 if (error == -ESRCH)
2256 +#ifdef CONFIG_GRKERNSEC
2257 + if (gr_handle_chroot_setpriority(p, niceval)) {
2258 + read_unlock(&tasklist_lock);
2263 if (niceval < task_nice(p) && !capable(CAP_SYS_NICE))
2266 diff -urN linux-2.4.22/kernel/sysctl.c linux-2.4.22-grsec/kernel/sysctl.c
2267 --- linux-2.4.22/kernel/sysctl.c 2003-10-09 18:47:38.000000000 +0200
2268 +++ linux-2.4.22-grsec/kernel/sysctl.c 2003-10-09 19:13:26.000000000 +0200
2272 #if defined(CONFIG_SYSCTL)
2273 +#include <linux/grsecurity.h>
2274 +#include <linux/grinternal.h>
2276 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, const int op);
2277 +extern int gr_handle_chroot_sysctl(const int op);
2279 /* External variables not in a header file. */
2280 extern int panic_timeout;
2282 static ctl_table dev_table[];
2283 extern ctl_table random_table[];
2285 +static ctl_table grsecurity_table[];
2287 /* /proc declarations: */
2289 #ifdef CONFIG_PROC_FS
2290 @@ -272,8 +283,112 @@
2291 {KERN_EXCEPTION_TRACE,"exception-trace",
2292 &exception_trace,sizeof(int),0644,NULL,&proc_dointvec},
2294 +#ifdef CONFIG_GRKERNSEC_SYSCTL
2295 + {KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table},
2300 +#ifdef CONFIG_GRKERNSEC_SYSCTL
2301 +enum {GS_CHROOT_SHMAT=1, GS_CHROOT_UNIX, GS_CHROOT_MNT,
2302 +GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
2303 +GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
2304 +GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL,
2305 +GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
2306 +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_LOCK};
2308 +static ctl_table grsecurity_table[] = {
2309 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
2310 + {GS_CHROOT_SHMAT, "chroot_deny_shmat", &grsec_enable_chroot_shmat, sizeof (int),
2311 + 0600, NULL, &proc_dointvec},
2313 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
2314 + {GS_CHROOT_UNIX, "chroot_deny_unix", &grsec_enable_chroot_unix, sizeof(int),
2315 + 0600, NULL, &proc_dointvec},
2317 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
2318 + {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int),
2319 + 0600, NULL, &proc_dointvec},
2321 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
2322 + {GS_CHROOT_FCHDIR, "chroot_deny_fchdir", &grsec_enable_chroot_fchdir, sizeof (int),
2323 + 0600, NULL, &proc_dointvec},
2325 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
2326 + {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int),
2327 + 0600, NULL, &proc_dointvec},
2329 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
2330 + {GS_CHROOT_PVT, "chroot_deny_pivot", &grsec_enable_chroot_pivot, sizeof (int),
2331 + 0600, NULL, &proc_dointvec},
2333 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
2334 + {GS_CHROOT_CD, "chroot_enforce_chdir", &grsec_enable_chroot_chdir, sizeof (int),
2335 + 0600, NULL, &proc_dointvec},
2337 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
2338 + {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int),
2339 + 0600, NULL, &proc_dointvec},
2341 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
2342 + {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int),
2343 + 0600, NULL, &proc_dointvec},
2345 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
2346 + {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int),
2347 + 0600, NULL, &proc_dointvec},
2349 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
2350 + {GS_CHROOT_EXECLOG, "chroot_execlog",
2351 + &grsec_enable_chroot_execlog, sizeof (int),
2352 + 0600, NULL, &proc_dointvec},
2354 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
2355 + {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int),
2356 + 0600, NULL, &proc_dointvec},
2358 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
2359 + {GS_CHROOT_SYSCTL, "chroot_deny_sysctl", &grsec_enable_chroot_sysctl, sizeof (int),
2360 + 0600, NULL, &proc_dointvec},
2362 +#ifdef CONFIG_GRKERNSEC_TPE
2363 + {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int),
2364 + 0600, NULL, &proc_dointvec},
2365 + {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int),
2366 + 0600, NULL, &proc_dointvec},
2368 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
2369 + {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int),
2370 + 0600, NULL, &proc_dointvec},
2372 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
2373 + {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int),
2374 + 0600, NULL, &proc_dointvec},
2375 + {GS_SOCKET_ALL_GID, "socket_all_gid",
2376 + &grsec_socket_all_gid, sizeof (int),
2377 + 0600, NULL, &proc_dointvec},
2379 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
2380 + {GS_SOCKET_CLIENT, "socket_client",
2381 + &grsec_enable_socket_client, sizeof (int),
2382 + 0600, NULL, &proc_dointvec},
2383 + {GS_SOCKET_CLIENT_GID, "socket_client_gid",
2384 + &grsec_socket_client_gid, sizeof (int),
2385 + 0600, NULL, &proc_dointvec},
2387 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
2388 + {GS_SOCKET_SERVER, "socket_server",
2389 + &grsec_enable_socket_server, sizeof (int),
2390 + 0600, NULL, &proc_dointvec},
2391 + {GS_SOCKET_SERVER_GID, "socket_server_gid",
2392 + &grsec_socket_server_gid, sizeof (int),
2393 + 0600, NULL, &proc_dointvec},
2395 + {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
2401 static ctl_table vm_table[] = {
2402 {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL,
2403 @@ -413,6 +607,13 @@
2405 static inline int ctl_perm(ctl_table *table, int op)
2407 +#ifdef CONFIG_GRKERNSEC
2408 + if (gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op))
2410 + if (gr_handle_chroot_sysctl(op))
2414 return test_perm(table->mode, op);
2417 diff -urN linux-2.4.22/mm/mmap.c linux-2.4.22/mm/mmap.c
2418 --- linux-2.4.22/mm/mmap.c 2003-09-01 22:19:02.000000000 -0400
2419 +++ linux-2.4.22/mm/mmap.c 2003-09-02 19:29:42.000000000 -0400
2421 #include <linux/file.h>
2422 #include <linux/fs.h>
2423 #include <linux/personality.h>
2424 +#include <linux/random.h>
2425 +#include <linux/grsecurity.h>
2427 #include <asm/uaccess.h>
2428 #include <asm/pgalloc.h>
2429 @@ -480,6 +532,11 @@
2433 +#ifdef CONFIG_GRKERNSEC
2434 + if (!gr_tpe_allow(file))
2438 /* Clear old maps */
2440 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
2441 diff -urN linux-2.4.22/mm/mprotect.c linux-2.4.22/mm/mprotect.c
2442 --- linux-2.4.22/mm/mprotect.c 2003-09-01 22:19:02.000000000 -0400
2443 +++ linux-2.4.22/mm/mprotect.c 2003-09-02 19:29:42.000000000 -0400
2445 #include <linux/smp_lock.h>
2446 #include <linux/shm.h>
2447 #include <linux/mman.h>
2448 +#include <linux/grsecurity.h>
2450 #include <asm/uaccess.h>
2451 #include <asm/pgalloc.h>
2452 @@ -288,6 +393,13 @@
2453 if (!vma || vma->vm_start > start)
2456 +#ifdef CONFIG_GRKERNSEC
2457 + if (!gr_tpe_allow(vma->vm_file)) {
2463 for (nstart = start ; ; ) {
2464 unsigned int newflags;
2466 diff -urN linux-2.4.22/net/ipv4/netfilter/Config.in linux-2.4.22-grsec/net/ipv4/netfilter/Config.in
2467 --- linux-2.4.22/net/ipv4/netfilter/Config.in 2003-10-09 18:47:22.000000000 +0200
2468 +++ linux-2.4.22-grsec/net/ipv4/netfilter/Config.in 2003-10-09 19:13:26.000000000 +0200
2470 dep_tristate ' address type match support' CONFIG_IP_NF_MATCH_ADDRTYPE $CONFIG_IP_NF_IPTABLES
2471 dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
2472 dep_tristate ' realm match support' CONFIG_IP_NF_MATCH_REALM $CONFIG_IP_NF_IPTABLES
2473 + dep_tristate ' stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES
2474 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
2475 dep_tristate ' Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES
2477 diff -urN linux-2.4.22/net/ipv4/netfilter/Makefile linux-2.4.22-grsec/net/ipv4/netfilter/Makefile
2478 --- linux-2.4.22/net/ipv4/netfilter/Makefile 2003-10-09 18:47:21.000000000 +0200
2479 +++ linux-2.4.22-grsec/net/ipv4/netfilter/Makefile 2003-10-09 19:13:26.000000000 +0200
2481 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
2482 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
2483 obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
2484 +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
2486 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
2488 diff -urN linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c linux-2.4.22-grsec/net/ipv4/netfilter/ipt_stealth.c
2489 --- linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
2490 +++ linux-2.4.22-grsec/net/ipv4/netfilter/ipt_stealth.c 2003-10-09 19:13:26.000000000 +0200
2492 +/* Kernel module to add stealth support.
2494 + * Copyright (C) 2002 Brad Spengler <spender@grsecurity.net>
2498 +#include <linux/kernel.h>
2499 +#include <linux/module.h>
2500 +#include <linux/skbuff.h>
2501 +#include <linux/net.h>
2502 +#include <linux/sched.h>
2503 +#include <linux/inet.h>
2504 +#include <linux/stddef.h>
2506 +#include <net/ip.h>
2507 +#include <net/sock.h>
2508 +#include <net/tcp.h>
2509 +#include <net/udp.h>
2510 +#include <net/route.h>
2511 +#include <net/inet_common.h>
2513 +#include <linux/netfilter_ipv4/ip_tables.h>
2515 +MODULE_LICENSE("GPL");
2517 +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
2520 +match(const struct sk_buff *skb,
2521 + const struct net_device *in,
2522 + const struct net_device *out,
2523 + const void *matchinfo,
2526 + u_int16_t datalen,
2529 + struct iphdr *ip = skb->nh.iph;
2530 + struct tcphdr *th = (struct tcphdr *) hdr;
2531 + struct udphdr *uh = (struct udphdr *) hdr;
2532 + struct sock *sk = NULL;
2534 + if (!ip || !hdr || offset) return 0;
2536 + switch(ip->protocol) {
2538 + if (datalen < sizeof(struct tcphdr)) {
2542 + if (!(th->syn && !th->ack)) return 0;
2543 + sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif);
2546 + if (datalen < sizeof(struct udphdr)) {
2550 + sk = udp_v4_lookup(ip->saddr, uh->source, ip->daddr, uh->dest, skb->dev->ifindex);
2556 + if(!sk) // port is being listened on, match this
2564 +/* Called when user tries to insert an entry of this type. */
2566 +checkentry(const char *tablename,
2567 + const struct ipt_ip *ip,
2569 + unsigned int matchsize,
2570 + unsigned int hook_mask)
2572 + if (matchsize != IPT_ALIGN(0))
2575 + if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
2576 + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
2577 + && (hook_mask & (1 << NF_IP_LOCAL_IN)))
2580 + printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
2586 +static struct ipt_match stealth_match
2587 += { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE };
2589 +static int __init init(void)
2591 + return ipt_register_match(&stealth_match);
2594 +static void __exit fini(void)
2596 + ipt_unregister_match(&stealth_match);
2601 diff -urN linux-2.4.22/net/netsyms.c linux-2.4.22-grsec/net/netsyms.c
2602 --- linux-2.4.22/net/netsyms.c 2003-10-09 18:47:31.000000000 +0200
2603 +++ linux-2.4.22-grsec/net/netsyms.c 2003-10-09 19:13:26.000000000 +0200
2605 #include <net/checksum.h>
2606 #include <linux/etherdevice.h>
2607 #include <net/route.h>
2608 +#include <linux/grsecurity.h>
2610 #include <linux/hippidevice.h>
2612 @@ -613,6 +614,20 @@
2614 EXPORT_SYMBOL(softnet_data);
2616 +#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
2617 +#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE)
2618 +EXPORT_SYMBOL(tcp_v4_lookup_listener);
2620 +#if !defined(CONFIG_IP_NF_MATCH_OWNER) && !defined(CONFIG_IP_NF_MATCH_OWNER_MODULE)
2621 +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
2622 +EXPORT_SYMBOL(udp_v4_lookup);
2626 +#ifdef CONFIG_UNIX_MODULE
2627 +EXPORT_SYMBOL(gr_handle_chroot_unix);
2630 #if defined(CONFIG_NET_RADIO) || defined(CONFIG_NET_PCMCIA_RADIO)
2631 #include <net/iw_handler.h>
2632 EXPORT_SYMBOL(wireless_send_event);
2633 diff -urN linux-2.4.22/net/socket.c linux-2.4.22/net/socket.c
2634 --- linux-2.4.22/net/socket.c 2003-09-01 22:19:08.000000000 -0400
2635 +++ linux-2.4.22/net/socket.c 2003-09-02 19:29:42.000000000 -0400
2637 #include <net/scm.h>
2638 #include <linux/netfilter.h>
2640 +extern void gr_attach_curr_ip(const struct sock *sk);
2641 +extern int gr_handle_sock_all(const int family, const int type,
2642 + const int protocol);
2643 +extern int gr_handle_sock_server(const struct sockaddr *sck);
2644 +extern int gr_handle_sock_client(const struct sockaddr *sck);
2646 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
2647 static ssize_t sock_read(struct file *file, char *buf,
2648 size_t size, loff_t *ppos);
2651 int sock_close(struct inode *inode, struct file *filp)
2653 + struct socket *sock;
2655 * It was possible the inode is NULL we were
2656 * closing an unfinished socket.
2657 @@ -709,8 +722,21 @@
2658 printk(KERN_DEBUG "sock_close: NULL inode\n");
2661 + sock = socki_lookup(inode);
2663 sock_fasync(-1, filp, 0);
2665 +#ifdef CONFIG_GRKERNSEC
2666 + if (unlikely(current->used_accept && sock->sk &&
2667 + (sock->sk->protocol == IPPROTO_TCP) &&
2668 + (sock->sk->daddr == current->curr_ip))) {
2669 + current->used_accept = 0;
2670 + current->curr_ip = 0;
2674 sock_release(socki_lookup(inode));
2679 @@ -903,6 +929,13 @@
2681 struct socket *sock;
2683 +#ifdef CONFIG_GRKERNSEC
2684 + if (gr_handle_sock_all(family, type, protocol)) {
2690 retval = sock_create(family, type, protocol, &sock);
2693 @@ -998,12 +1034,23 @@
2695 struct socket *sock;
2696 char address[MAX_SOCK_ADDR];
2697 + struct sockaddr * sck;
2700 if((sock = sockfd_lookup(fd,&err))!=NULL)
2702 - if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
2703 + if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
2704 +#ifdef CONFIG_GRKERNSEC
2705 + sck = (struct sockaddr *) address;
2707 + if (gr_handle_sock_server(sck)) {
2713 err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen);
2718 @@ -1079,6 +1129,10 @@
2719 if ((err = sock_map_fd(newsock)) < 0)
2722 +#ifdef CONFIG_GRKERNSEC
2723 + gr_attach_curr_ip(newsock->sk);
2729 @@ -1106,6 +1158,7 @@
2731 struct socket *sock;
2732 char address[MAX_SOCK_ADDR];
2733 + struct sockaddr * sck;
2736 sock = sockfd_lookup(fd, &err);
2737 @@ -1114,6 +1167,19 @@
2738 err = move_addr_to_kernel(uservaddr, addrlen, address);
2742 +#ifdef CONFIG_GRKERNSEC
2743 + sck = (struct sockaddr *) address;
2745 + if (gr_handle_sock_client(sck)) {
2750 + if (sock->sk->protocol == IPPROTO_TCP)
2751 + current->used_connect = 1;
2754 err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen,
2755 sock->file->f_flags);
2757 @@ -1333,6 +1404,14 @@
2758 err=sock->ops->shutdown(sock, how);
2762 +#ifdef CONFIG_GRKERNSEC
2763 + if (likely(!err && current->used_accept)) {
2764 + current->used_accept = 0;
2765 + current->curr_ip = 0;
2772 diff -urN linux-2.4.22/net/unix/af_unix.c linux-2.4.22-grsec/net/unix/af_unix.c
2773 --- linux-2.4.22/net/unix/af_unix.c 2003-10-09 18:47:35.000000000 +0200
2774 +++ linux-2.4.22-grsec/net/unix/af_unix.c 2003-10-09 19:13:26.000000000 +0200
2776 #include <linux/poll.h>
2777 #include <linux/smp_lock.h>
2778 #include <linux/rtnetlink.h>
2779 +#include <linux/grsecurity.h>
2781 #include <asm/checksum.h>
2783 @@ -622,6 +623,15 @@
2785 struct dentry *dentry;
2786 dentry = u->protinfo.af_unix.dentry;
2788 +#ifdef CONFIG_GRKERNSEC
2789 + if (!gr_handle_chroot_unix(u->peercred.pid)) {
2797 UPDATE_ATIME(dentry->d_inode);
2799 @@ -740,6 +748,10 @@
2803 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
2804 + sk->peercred.pid = current->pid;
2807 list = &unix_socket_table[addr->hash];
2809 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
2814 +#ifdef CONFIG_GRKERNSEC
2815 + struct task_struct *p, **htable;
2818 err = unix_mkname(sunaddr, addr_len, &hash);
2820 @@ -989,6 +1019,17 @@
2821 /* Set credentials */
2822 sk->peercred = other->peercred;
2824 +#ifdef CONFIG_GRKERNSEC
2825 + read_lock(&tasklist_lock);
2826 + htable = &pidhash[pid_hashfn(other->peercred.pid)];
2827 + for (p = *htable; p && p->pid != other->peercred.pid; p = p->pidhash_next);
2829 + p->curr_ip = current->curr_ip;
2830 + p->used_accept = 1;
2832 + read_unlock(&tasklist_lock);
2836 unix_peer(sk)=newsk;
2837 sock->state=SS_CONNECTED;