diff -uNr linux-2.6.7-rc1.orig/arch/alpha/kernel/osf_sys.c linux-2.6.7-rc1/arch/alpha/kernel/osf_sys.c --- linux-2.6.7-rc1.orig/arch/alpha/kernel/osf_sys.c 2004-05-23 07:53:28.000000000 +0200 +++ linux-2.6.7-rc1/arch/alpha/kernel/osf_sys.c 2004-05-25 14:33:57.642597320 +0200 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include @@ -189,6 +190,13 @@ if (!file) goto out; } + + if (gr_handle_mmap(file, prot)) { + fput(file); + ret = -EACCES; + goto out; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); down_write(¤t->mm->mmap_sem); ret = do_mmap(file, addr, len, prot, flags, off); diff -uNr linux-2.6.7-rc1.orig/arch/alpha/kernel/ptrace.c linux-2.6.7-rc1/arch/alpha/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/alpha/kernel/ptrace.c 2004-05-23 07:54:43.000000000 +0200 +++ linux-2.6.7-rc1/arch/alpha/kernel/ptrace.c 2004-05-25 14:33:57.658594888 +0200 @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -288,6 +289,9 @@ if (!child) goto out_notsk; + if (gr_handle_ptrace(child, request)) + goto out; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out; diff -uNr linux-2.6.7-rc1.orig/arch/i386/Kconfig linux-2.6.7-rc1/arch/i386/Kconfig --- linux-2.6.7-rc1.orig/arch/i386/Kconfig 2004-05-25 14:25:41.000000000 +0200 +++ linux-2.6.7-rc1/arch/i386/Kconfig 2004-05-25 14:33:57.669593216 +0200 @@ -394,7 +394,7 @@ config X86_ALIGNMENT_16 bool - depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 + depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 default y config X86_GOOD_APIC diff -uNr linux-2.6.7-rc1.orig/arch/i386/kernel/ioport.c linux-2.6.7-rc1/arch/i386/kernel/ioport.c --- linux-2.6.7-rc1.orig/arch/i386/kernel/ioport.c 2004-05-23 07:54:16.000000000 +0200 +++ linux-2.6.7-rc1/arch/i386/kernel/ioport.c 2004-05-25 14:33:57.726584552 +0200 @@ -15,6 +15,7 @@ #include #include #include +#include /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */ static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value) @@ -62,9 +63,16 @@ if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_IO + if (turn_on) { + gr_handle_ioperm(); +#else if (turn_on && !capable(CAP_SYS_RAWIO)) +#endif return -EPERM; - +#ifdef CONFIG_GRKERNSEC_IO + } +#endif /* * If it's the first ioperm() call in this thread's lifetime, set the * IO bitmap up. ioperm() is much less timing critical than clone(), @@ -115,8 +123,13 @@ return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { +#ifdef CONFIG_GRKERNSEC_IO + gr_handle_iopl(); + return -EPERM; +#else if (!capable(CAP_SYS_RAWIO)) return -EPERM; +#endif } regs->eflags = (regs->eflags &~ 0x3000UL) | (level << 12); /* Make sure we return the long way (not sysenter) */ diff -uNr linux-2.6.7-rc1.orig/arch/i386/kernel/ptrace.c linux-2.6.7-rc1/arch/i386/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/i386/kernel/ptrace.c 2004-05-23 07:53:47.000000000 +0200 +++ linux-2.6.7-rc1/arch/i386/kernel/ptrace.c 2004-05-25 14:33:57.759579536 +0200 @@ -15,6 +15,7 @@ #include #include #include +#include #include #include @@ -263,6 +264,9 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; @@ -341,6 +345,17 @@ if(addr == (long) &dummy->u_debugreg[5]) break; if(addr < (long) &dummy->u_debugreg[4] && ((unsigned long) data) >= TASK_SIZE-3) break; + +#ifdef CONFIG_GRKERNSEC + if(addr >= (long) &dummy->u_debugreg[0] && + addr <= (long) &dummy->u_debugreg[3]){ + long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2; + long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3; + long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3; + if((type & 1) && (data & align)) + break; + } +#endif if(addr == (long) &dummy->u_debugreg[7]) { data &= ~DR_CONTROL_RESERVED; diff -uNr linux-2.6.7-rc1.orig/arch/i386/kernel/sys_i386.c linux-2.6.7-rc1/arch/i386/kernel/sys_i386.c --- linux-2.6.7-rc1.orig/arch/i386/kernel/sys_i386.c 2004-05-23 07:55:01.000000000 +0200 +++ linux-2.6.7-rc1/arch/i386/kernel/sys_i386.c 2004-05-25 14:33:57.766578472 +0200 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -56,8 +57,14 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + fput(file); + error = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); - error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + error = do_mmap(file, addr, len, prot, flags, pgoff << PAGE_SHIFT); up_write(¤t->mm->mmap_sem); if (file) diff -uNr linux-2.6.7-rc1.orig/arch/i386/kernel/traps.c linux-2.6.7-rc1/arch/i386/kernel/traps.c --- linux-2.6.7-rc1.orig/arch/i386/kernel/traps.c 2004-05-23 07:53:46.000000000 +0200 +++ linux-2.6.7-rc1/arch/i386/kernel/traps.c 2004-05-25 14:33:57.779576496 +0200 @@ -122,13 +117,15 @@ unsigned long ebp) { unsigned long addr; + int i = kstack_depth_to_print; - while (!kstack_end(stack)) { + while (i && !kstack_end(stack)) { addr = *stack++; if (__kernel_text_address(addr)) { printk(" [<%08lx>]", addr); print_symbol(" %s", addr); printk("\n"); + --i; } } } diff -uNr linux-2.6.7-rc1.orig/arch/ia64/kernel/ptrace.c linux-2.6.7-rc1/arch/ia64/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/ia64/kernel/ptrace.c 2004-05-23 07:55:02.000000000 +0200 +++ linux-2.6.7-rc1/arch/ia64/kernel/ptrace.c 2004-05-25 14:33:57.842566920 +0200 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -1314,6 +1315,9 @@ if (pid == 1) /* no messing around with init! */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -uNr linux-2.6.7-rc1.orig/arch/ia64/kernel/sys_ia64.c linux-2.6.7-rc1/arch/ia64/kernel/sys_ia64.c --- linux-2.6.7-rc1.orig/arch/ia64/kernel/sys_ia64.c 2004-05-23 07:54:21.000000000 +0200 +++ linux-2.6.7-rc1/arch/ia64/kernel/sys_ia64.c 2004-05-25 14:33:57.858564488 +0200 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -222,6 +223,11 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + addr = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); up_write(¤t->mm->mmap_sem); diff -uNr linux-2.6.7-rc1.orig/arch/ppc/kernel/ptrace.c linux-2.6.7-rc1/arch/ppc/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/ppc/kernel/ptrace.c 2004-05-23 07:53:47.000000000 +0200 +++ linux-2.6.7-rc1/arch/ppc/kernel/ptrace.c 2004-05-25 14:33:57.867563120 +0200 @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -202,6 +203,9 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -uNr linux-2.6.7-rc1.orig/arch/ppc/kernel/syscalls.c linux-2.6.7-rc1/arch/ppc/kernel/syscalls.c --- linux-2.6.7-rc1.orig/arch/ppc/kernel/syscalls.c 2004-05-23 07:54:44.000000000 +0200 +++ linux-2.6.7-rc1/arch/ppc/kernel/syscalls.c 2004-05-25 14:33:57.884560536 +0200 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include @@ -171,8 +172,14 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + fput(file); + ret = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); - ret = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + ret = do_mmap(file, addr, len, prot, flags, pgoff << PAGE_SHIFT); up_write(¤t->mm->mmap_sem); if (file) fput(file); diff -uNr linux-2.6.7-rc1.orig/arch/sparc/kernel/ptrace.c linux-2.6.7-rc1/arch/sparc/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/sparc/kernel/ptrace.c 2004-05-23 07:55:02.000000000 +0200 +++ linux-2.6.7-rc1/arch/sparc/kernel/ptrace.c 2004-05-25 14:33:57.923554608 +0200 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -320,6 +321,11 @@ goto out; } + if (gr_handle_ptrace(child, request)) { + pt_error_return(regs, EPERM); + goto out_tsk; + } + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { if (ptrace_attach(child)) { diff -uNr linux-2.6.7-rc1.orig/arch/sparc/kernel/sys_sparc.c linux-2.6.7-rc1/arch/sparc/kernel/sys_sparc.c --- linux-2.6.7-rc1.orig/arch/sparc/kernel/sys_sparc.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/arch/sparc/kernel/sys_sparc.c 2004-05-25 14:33:57.932553240 +0200 @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -242,6 +243,12 @@ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) goto out_putf; + if (gr_handle_mmap(file, prot)) { + fput(file); + retval = -EACCES; + goto out; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); down_write(¤t->mm->mmap_sem); diff -uNr linux-2.6.7-rc1.orig/arch/sparc64/kernel/ptrace.c linux-2.6.7-rc1/arch/sparc64/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/sparc64/kernel/ptrace.c 2004-05-23 07:55:02.000000000 +0200 +++ linux-2.6.7-rc1/arch/sparc64/kernel/ptrace.c 2004-05-25 14:33:57.944551416 +0200 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -169,6 +170,11 @@ goto out; } + if (gr_handle_ptrace(child, (long)request)) { + pt_error_return(regs, EPERM); + goto out_tsk; + } + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { if (ptrace_attach(child)) { diff -uNr linux-2.6.7-rc1.orig/arch/sparc64/kernel/sys_sparc.c linux-2.6.7-rc1/arch/sparc64/kernel/sys_sparc.c --- linux-2.6.7-rc1.orig/arch/sparc64/kernel/sys_sparc.c 2004-05-23 07:54:19.000000000 +0200 +++ linux-2.6.7-rc1/arch/sparc64/kernel/sys_sparc.c 2004-05-25 14:33:57.955549744 +0200 @@ -25,6 +25,7 @@ #include #include #include +#include #include #include @@ -316,6 +317,12 @@ if (!file) goto out; } + + if (gr_handle_mmap(file, prot)) { + retval = -EACCES; + goto out_putf; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); len = PAGE_ALIGN(len); retval = -EINVAL; diff -uNr linux-2.6.7-rc1.orig/arch/x86_64/kernel/ptrace.c linux-2.6.7-rc1/arch/x86_64/kernel/ptrace.c --- linux-2.6.7-rc1.orig/arch/x86_64/kernel/ptrace.c 2004-05-23 07:53:56.000000000 +0200 +++ linux-2.6.7-rc1/arch/x86_64/kernel/ptrace.c 2004-05-25 14:37:46.397821240 +0200 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -213,6 +214,9 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -uNr linux-2.6.7-rc1.orig/drivers/char/keyboard.c linux-2.6.7-rc1/drivers/char/keyboard.c --- linux-2.6.7-rc1.orig/drivers/char/keyboard.c 2004-05-25 14:25:39.000000000 +0200 +++ linux-2.6.7-rc1/drivers/char/keyboard.c 2004-05-25 14:33:58.033537888 +0200 @@ -606,6 +606,16 @@ kbd->kbdmode == VC_MEDIUMRAW) && value != KVAL(K_SAK)) return; /* SAK is allowed even in raw mode */ + +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP) + { + void *func = fn_handler[value]; + if (func == fn_show_state || func == fn_show_ptregs || + func == fn_show_mem) + return; + } +#endif + fn_handler[value](vc, regs); } diff -uNr linux-2.6.7-rc1.orig/drivers/char/mem.c linux-2.6.7-rc1/drivers/char/mem.c --- linux-2.6.7-rc1.orig/drivers/char/mem.c 2004-05-23 07:54:18.000000000 +0200 +++ linux-2.6.7-rc1/drivers/char/mem.c 2004-05-25 14:33:58.061533632 +0200 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -39,6 +40,10 @@ extern void tapechar_init(void); #endif +#ifdef CONFIG_GRKERNSEC +extern struct file_operations grsec_fops; +#endif + /* * Architectures vary in how they handle caching for addresses * outside of main memory. @@ -191,6 +196,12 @@ if (!valid_phys_addr_range(p, &count)) return -EFAULT; + +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_mem_write(); + return -EPERM; +#endif + return do_write_mem(__va(p), p, buf, count, ppos); } @@ -205,6 +216,11 @@ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); #endif +#ifdef CONFIG_GRKERNSEC_KMEM + if (gr_handle_mem_mmap(offset, vma)) + return -EPERM; +#endif + /* Don't try to swap out physical pages.. */ vma->vm_flags |= VM_RESERVED; @@ -298,6 +314,11 @@ ssize_t written; char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_kmem_write(); + return -EPERM; +#endif + if (p < (unsigned long) high_memory) { wrote = count; @@ -573,6 +594,16 @@ static int open_port(struct inode * inode, struct file * filp) { +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_open_port(); + return -EPERM; +#endif + + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; +} + +static int open_mem(struct inode * inode, struct file * filp) +{ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } @@ -581,7 +612,6 @@ #define full_lseek null_lseek #define write_zero write_null #define read_full read_zero -#define open_mem open_port #define open_kmem open_mem static struct file_operations mem_fops = { @@ -679,6 +709,11 @@ case 9: filp->f_op = &urandom_fops; break; +#ifdef CONFIG_GRKERNSEC + case 10: + filp->f_op = &grsec_fops; + break; +#endif case 11: filp->f_op = &kmsg_fops; break; @@ -710,6 +745,9 @@ {7, "full", S_IRUGO | S_IWUGO, &full_fops}, {8, "random", S_IRUGO | S_IWUSR, &random_fops}, {9, "urandom", S_IRUGO | S_IWUSR, &urandom_fops}, +#ifdef CONFIG_GRKERNSEC + {10,"grsec", S_IRUSR | S_IWUGO, &grsec_fops}, +#endif {11,"kmsg", S_IRUGO | S_IWUSR, &kmsg_fops}, }; diff -uNr linux-2.6.7-rc1.orig/drivers/char/random.c linux-2.6.7-rc1/drivers/char/random.c --- linux-2.6.7-rc1.orig/drivers/char/random.c 2004-05-23 07:53:33.000000000 +0200 +++ linux-2.6.7-rc1/drivers/char/random.c 2004-05-25 14:33:58.081530592 +0200 @@ -263,9 +263,15 @@ /* * Configuration information */ +#ifdef CONFIG_GRKERNSEC_RANDNET +#define DEFAULT_POOL_SIZE 1024 +#define SECONDARY_POOL_SIZE 256 +#define BATCH_ENTROPY_SIZE 512 +#else #define DEFAULT_POOL_SIZE 512 #define SECONDARY_POOL_SIZE 128 #define BATCH_ENTROPY_SIZE 256 +#endif #define USE_SHA /* @@ -2380,6 +2386,29 @@ return halfMD4Transform(hash, keyptr->secret); } +#ifdef CONFIG_GRKERNSEC +/* the following function is provided by PaX under the GPL */ +unsigned long get_random_long(void) +{ + static time_t rekey_time; + static __u32 secret[12]; + time_t t; + + /* + * Pick a random secret every REKEY_INTERVAL seconds + */ + t = get_seconds(); + if (!rekey_time || (t - rekey_time) > REKEY_INTERVAL) { + rekey_time = t; + get_random_bytes(secret, sizeof(secret)); + } + + secret[1] = halfMD4Transform(secret+8, secret); + secret[0] = halfMD4Transform(secret+8, secret); + return *(unsigned long *)secret; +} +#endif + #ifdef CONFIG_SYN_COOKIES /* * Secure SYN cookie computation. This is the algorithm worked out by diff -uNr linux-2.6.7-rc1.orig/drivers/char/vt_ioctl.c linux-2.6.7-rc1/drivers/char/vt_ioctl.c --- linux-2.6.7-rc1.orig/drivers/char/vt_ioctl.c 2004-05-23 07:54:28.000000000 +0200 +++ linux-2.6.7-rc1/drivers/char/vt_ioctl.c 2004-05-25 14:33:58.164517976 +0200 @@ -96,6 +96,12 @@ case KDSKBENT: if (!perm) return -EPERM; + +#ifdef CONFIG_GRKERNSEC + if (!capable(CAP_SYS_TTY_CONFIG)) + return -EPERM; +#endif + if (!i && v == K_NOSUCHMAP) { /* disallocate map */ key_map = key_maps[s]; @@ -232,6 +238,13 @@ goto reterr; } +#ifdef CONFIG_GRKERNSEC + if (!capable(CAP_SYS_TTY_CONFIG)) { + return -EPERM; + goto reterr; + } +#endif + q = func_table[i]; first_free = funcbufptr + (funcbufsize - funcbufleft); for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) diff -uNr linux-2.6.7-rc1.orig/drivers/pci/proc.c linux-2.6.7-rc1/drivers/pci/proc.c --- linux-2.6.7-rc1.orig/drivers/pci/proc.c 2004-05-23 07:54:21.000000000 +0200 +++ linux-2.6.7-rc1/drivers/pci/proc.c 2004-05-25 14:33:58.199512656 +0200 @@ -565,7 +565,15 @@ static void legacy_proc_init(void) { +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL); +#endif +#else struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL); +#endif if (entry) entry->proc_fops = &proc_pci_operations; } @@ -594,7 +602,15 @@ { struct proc_dir_entry *entry; struct pci_dev *dev = NULL; +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus); +#endif +#else proc_bus_pci_dir = proc_mkdir("pci", proc_bus); +#endif entry = create_proc_entry("devices", 0, proc_bus_pci_dir); if (entry) entry->proc_fops = &proc_bus_pci_dev_operations; diff -uNr linux-2.6.7-rc1.orig/fs/binfmt_aout.c linux-2.6.7-rc1/fs/binfmt_aout.c --- linux-2.6.7-rc1.orig/fs/binfmt_aout.c 2004-05-23 07:53:46.000000000 +0200 +++ linux-2.6.7-rc1/fs/binfmt_aout.c 2004-05-25 14:33:58.437476480 +0200 @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -118,10 +119,12 @@ /* If the size of the dump file exceeds the rlimit, then see what would happen if we wrote the stack, but not the data area. */ #ifdef __sparc__ + gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1); if ((dump.u_dsize+dump.u_ssize) > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_dsize = 0; #else + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1); if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_dsize = 0; @@ -129,10 +132,12 @@ /* Make sure we have enough room to write the stack and data areas. */ #ifdef __sparc__ + gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1); if ((dump.u_ssize) > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_ssize = 0; #else + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1); if ((dump.u_ssize+1) * PAGE_SIZE > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_ssize = 0; @@ -281,6 +286,8 @@ rlim = current->rlim[RLIMIT_DATA].rlim_cur; if (rlim >= RLIM_INFINITY) rlim = ~0; + + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1); if (ex.a_data + ex.a_bss > rlim) return -ENOMEM; @@ -399,7 +406,7 @@ down_write(¤t->mm->mmap_sem); error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data, - PROT_READ | PROT_WRITE | PROT_EXEC, + PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE, fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff -uNr linux-2.6.7-rc1.orig/fs/binfmt_elf.c linux-2.6.7-rc1/fs/binfmt_elf.c --- linux-2.6.7-rc1.orig/fs/binfmt_elf.c 2004-05-23 07:54:09.000000000 +0200 +++ linux-2.6.7-rc1/fs/binfmt_elf.c 2004-05-25 14:33:58.457473440 +0200 @@ -37,6 +37,8 @@ #include #include #include +#include +#include #include #include @@ -85,6 +87,7 @@ static int set_brk(unsigned long start, unsigned long end) { + current->mm->start_brk = current->mm->brk = end; start = ELF_PAGEALIGN(start); end = ELF_PAGEALIGN(end); if (end > start) { @@ -92,7 +95,6 @@ if (BAD_ADDR(addr)) return addr; } - current->mm->start_brk = current->mm->brk = end; return 0; } @@ -1098,8 +1100,11 @@ #undef DUMP_SEEK #define DUMP_WRITE(addr, nr) \ + do { \ + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \ if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \ - goto end_coredump; + goto end_coredump; \ + } while (0); #define DUMP_SEEK(off) \ if (!dump_seek(file, (off))) \ goto end_coredump; diff -uNr linux-2.6.7-rc1.orig/fs/binfmt_misc.c linux-2.6.7-rc1/fs/binfmt_misc.c --- linux-2.6.7-rc1.orig/fs/binfmt_misc.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/fs/binfmt_misc.c 2004-05-25 14:33:58.467471920 +0200 @@ -108,9 +108,11 @@ int retval; retval = -ENOEXEC; - if (!enabled) + if (!enabled || bprm->misc) goto _ret; + bprm->misc++; + /* to keep locking time low, we copy the interpreter string */ read_lock(&entries_lock); fmt = check_file(bprm); diff -uNr linux-2.6.7-rc1.orig/fs/buffer.c linux-2.6.7-rc1/fs/buffer.c --- linux-2.6.7-rc1.orig/fs/buffer.c 2004-05-23 07:54:21.000000000 +0200 +++ linux-2.6.7-rc1/fs/buffer.c 2004-05-25 14:33:58.488468728 +0200 @@ -37,6 +37,7 @@ #include #include #include +#include #include static void invalidate_bh_lrus(void); @@ -2231,6 +2232,9 @@ int err; err = -EFBIG; + + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1); + limit = current->rlim[RLIMIT_FSIZE].rlim_cur; if (limit != RLIM_INFINITY && size > (loff_t)limit) { send_sig(SIGXFSZ, current, 0); diff -uNr linux-2.6.7-rc1.orig/fs/exec.c linux-2.6.7-rc1/fs/exec.c --- linux-2.6.7-rc1.orig/fs/exec.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/fs/exec.c 2004-05-25 14:33:58.597452160 +0200 @@ -46,6 +46,8 @@ #include #include #include +#include +#include #include #include @@ -904,6 +906,9 @@ if (retval) return retval; + if (gr_handle_ptrace_exec(bprm->file->f_dentry, bprm->file->f_vfsmnt)) + return -EACCES; + memset(bprm->buf,0,BINPRM_BUF_SIZE); return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); } @@ -933,6 +938,7 @@ task_lock(current); unsafe = unsafe_exec(current); security_bprm_apply_creds(bprm, unsafe); + gr_handle_chroot_caps(current); task_unlock(current); } @@ -1073,6 +1079,11 @@ struct file *file; int retval; int i; +#ifdef CONFIG_GRKERNSEC + struct file *old_exec_file; + struct acl_subject_label *old_acl; + struct rlimit old_rlim[RLIM_NLIMITS]; +#endif sched_balance_exec(); @@ -1082,6 +1093,20 @@ if (IS_ERR(file)) return retval; + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes), 1); + + if (gr_handle_nproc()) { + allow_write_access(file); + fput(file); + return -EAGAIN; + } + + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) { + allow_write_access(file); + fput(file); + return -EACCES; + } + bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); @@ -1089,6 +1114,7 @@ bprm.filename = filename; bprm.interp = filename; bprm.sh_bang = 0; + bprm.misc = 0; bprm.loader = 0; bprm.exec = 0; bprm.security = NULL; @@ -1117,11 +1143,26 @@ if (retval < 0) goto out; + if (!gr_tpe_allow(file)) { + retval = -EACCES; + goto out; + } + + if (gr_check_crash_exec(file)) { + retval = -EACCES; + goto out; + } + retval = copy_strings_kernel(1, &bprm.filename, &bprm); if (retval < 0) goto out; bprm.exec = bprm.p; + + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt); + + gr_handle_exec_args(&bprm, argv); + retval = copy_strings(bprm.envc, envp, &bprm); if (retval < 0) goto out; @@ -1130,8 +1171,22 @@ if (retval < 0) goto out; +#ifdef CONFIG_GRKERNSEC + old_acl = current->acl; + memcpy(old_rlim, current->rlim, sizeof(old_rlim)); + old_exec_file = current->exec_file; + get_file(file); + current->exec_file = file; +#endif + + gr_set_proc_label(file->f_dentry, file->f_vfsmnt); + retval = search_binary_handler(&bprm,regs); if (retval >= 0) { +#ifdef CONFIG_GRKERNSEC + if (old_exec_file) + fput(old_exec_file); +#endif free_arg_pages(&bprm); /* execve success */ @@ -1139,6 +1194,13 @@ return retval; } +#ifdef CONFIG_GRKERNSEC + current->acl = old_acl; + memcpy(current->rlim, old_rlim, sizeof(old_rlim)); + fput(current->exec_file); + current->exec_file = old_exec_file; +#endif + out: /* Something went wrong, return the inode and free the argument pages*/ for (i = 0 ; i < MAX_ARG_PAGES ; i++) { @@ -1365,6 +1427,7 @@ current->signal->group_exit_code = exit_code; coredump_wait(mm); + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); if (current->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump) goto fail_unlock; @@ -1384,7 +1447,7 @@ goto close_fail; if (!file->f_op->write) goto close_fail; - if (do_truncate(file->f_dentry, 0) != 0) + if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0) goto close_fail; retval = binfmt->core_dump(signr, regs, file); diff -uNr linux-2.6.7-rc1.orig/fs/fcntl.c linux-2.6.7-rc1/fs/fcntl.c --- linux-2.6.7-rc1.orig/fs/fcntl.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/fs/fcntl.c 2004-05-25 14:33:58.632446840 +0200 @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -86,6 +87,9 @@ int error; error = -EINVAL; + + gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0); + if (orig_start >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; @@ -105,6 +109,9 @@ } error = -EMFILE; + + gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0); + if (newfd >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; @@ -154,6 +161,8 @@ struct file * file, *tofree; struct files_struct * files = current->files; + gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0); + spin_lock(&files->file_lock); if (!(file = fcheck(oldfd))) goto out_unlock; @@ -493,13 +502,15 @@ if (pid > 0) { p = find_task_by_pid(pid); if (p) { - send_sigio_to_task(p, fown, fd, band); + if (!gr_check_protected_task(p)) + send_sigio_to_task(p, fown, fd, band); } } else { struct list_head *l; struct pid *pidptr; for_each_task_pid(-pid, PIDTYPE_PGID, p, l, pidptr) { - send_sigio_to_task(p, fown, fd, band); + if (!gr_check_protected_task(p) && !gr_pid_is_chrooted(p)) + send_sigio_to_task(p, fown, fd, band); } } read_unlock(&tasklist_lock); diff -uNr linux-2.6.7-rc1.orig/fs/Kconfig linux-2.6.7-rc1/fs/Kconfig --- linux-2.6.7-rc1.orig/fs/Kconfig 2004-05-25 14:25:42.000000000 +0200 +++ linux-2.6.7-rc1/fs/Kconfig 2004-05-25 14:33:58.318494568 +0200 @@ -816,6 +816,7 @@ config PROC_KCORE bool + depends on !GRKERNSEC_PROC_ADD default y if !ARM config SYSFS diff -uNr linux-2.6.6/fs/dcache.c linux-2.6.6.grsec/fs/dcache.c --- linux-2.6.6/fs/dcache.c 2004-05-13 16:55:46.446490696 +0200 +++ linux-2.6.6.grsec/fs/dcache.c 2004-05-13 16:52:25.000000000 +0200 @@ -1263,7 +1263,7 @@ * * "buflen" should be positive. Caller holds the dcache_lock. */ -static char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt, +char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt, struct dentry *root, struct vfsmount *rootmnt, char *buffer, int buflen) { diff -uNr linux-2.6.7-rc1.orig/fs/namei.c linux-2.6.7-rc1/fs/namei.c --- linux-2.6.7-rc1.orig/fs/namei.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/fs/namei.c 2004-05-25 14:33:58.669441216 +0200 @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -413,6 +414,13 @@ err = security_inode_follow_link(dentry, nd); if (err) goto loop; + + if (gr_handle_follow_link(dentry->d_parent->d_inode, + dentry->d_inode, dentry, nd->mnt)) { + err = -EACCES; + goto loop; + } + current->link_count++; current->total_link_count++; touch_atime(nd->mnt, dentry); @@ -764,6 +772,10 @@ break; } return_base: + if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) { + path_release(nd); + return -ENOENT; + } return 0; out_dput: dput(next.dentry); @@ -1225,7 +1237,7 @@ if (!error) { DQUOT_INIT(inode); - error = do_truncate(dentry, 0); + error = do_truncate(dentry, 0, nd->mnt); } put_write_access(inode); if (error) @@ -1276,6 +1288,17 @@ error = path_lookup(pathname, lookup_flags(flag)|LOOKUP_OPEN, nd); if (error) return error; + + if (gr_handle_rawio(nd->dentry->d_inode)) { + error = -EPERM; + goto exit; + } + + if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) { + error = -EACCES; + goto exit; + } + goto ok; } @@ -1309,9 +1332,19 @@ /* Negative dentry, just create the file */ if (!dentry->d_inode) { + if (!gr_acl_handle_creat(dentry, nd->dentry, nd->mnt, flag, mode)) { + error = -EACCES; + up(&dir->d_inode->i_sem); + goto exit_dput; + } + if (!IS_POSIXACL(dir->d_inode)) mode &= ~current->fs->umask; error = vfs_create(dir->d_inode, dentry, mode, nd); + + if (!error) + gr_handle_create(dentry, nd->mnt); + up(&dir->d_inode->i_sem); dput(nd->dentry); nd->dentry = dentry; @@ -1326,6 +1359,25 @@ /* * It already exists. */ + + if (gr_handle_rawio(dentry->d_inode)) { + error = -EPERM; + up(&dir->d_inode->i_sem); + goto exit_dput; + } + + if (!gr_acl_handle_open(dentry, nd->mnt, flag)) { + up(&dir->d_inode->i_sem); + error = -EACCES; + goto exit_dput; + } + + if (gr_handle_fifo(dentry, nd->mnt, dir, flag, acc_mode)) { + up(&dir->d_inode->i_sem); + error = -EACCES; + goto exit_dput; + } + up(&dir->d_inode->i_sem); error = -EEXIST; @@ -1379,6 +1431,13 @@ error = security_inode_follow_link(dentry, nd); if (error) goto exit_dput; + + if (gr_handle_follow_link(dentry->d_parent->d_inode, dentry->d_inode, + dentry, nd->mnt)) { + error = -EACCES; + goto exit_dput; + } + touch_atime(nd->mnt, dentry); error = dentry->d_inode->i_op->follow_link(dentry, nd); dput(dentry); @@ -1486,6 +1545,22 @@ if (!IS_POSIXACL(nd.dentry->d_inode)) mode &= ~current->fs->umask; if (!IS_ERR(dentry)) { + if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) { + error = -EPERM; + dput(dentry); + up(&nd.dentry->d_inode->i_sem); + path_release(&nd); + goto out; + } + + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) { + error = -EACCES; + dput(dentry); + up(&nd.dentry->d_inode->i_sem); + path_release(&nd); + goto out; + } + switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); @@ -1503,6 +1578,10 @@ default: error = -EINVAL; } + + if (!error) + gr_handle_create(dentry, nd.mnt); + dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1554,9 +1633,19 @@ dentry = lookup_create(&nd, 1); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { + error = 0; if (!IS_POSIXACL(nd.dentry->d_inode)) mode &= ~current->fs->umask; - error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); + + if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) + error = -EACCES; + + if (!error) + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); + + if (!error) + gr_handle_create(dentry, nd.mnt); + dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1640,6 +1729,8 @@ char * name; struct dentry *dentry; struct nameidata nd; + ino_t saved_ino = 0; + dev_t saved_dev = 0; name = getname(pathname); if(IS_ERR(name)) @@ -1664,7 +1755,21 @@ dentry = lookup_hash(&nd.last, nd.dentry); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_rmdir(nd.dentry->d_inode, dentry); + error = 0; + if (dentry->d_inode) { + if (dentry->d_inode->i_nlink <= 1) { + saved_ino = dentry->d_inode->i_ino; + saved_dev = dentry->d_inode->i_sb->s_dev; + } + + if (!gr_acl_handle_rmdir(dentry, nd.mnt)) + error = -EACCES; + } + + if (!error) + error = vfs_rmdir(nd.dentry->d_inode, dentry); + if (!error && (saved_dev || saved_ino)) + gr_handle_delete(saved_ino, saved_dev); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1718,6 +1823,8 @@ struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; + ino_t saved_ino = 0; + dev_t saved_dev = 0; name = getname(pathname); if(IS_ERR(name)) @@ -1733,13 +1840,26 @@ dentry = lookup_hash(&nd.last, nd.dentry); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { + error = 0; /* Why not before? Because we want correct error value */ if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; - if (inode) + if (inode) { + if (inode->i_nlink <= 1) { + saved_ino = inode->i_ino; + saved_dev = inode->i_sb->s_dev; + } + + if (!gr_acl_handle_unlink(dentry, nd.mnt)) + error = -EACCES; + atomic_inc(&inode->i_count); - error = vfs_unlink(nd.dentry->d_inode, dentry); + } + if (!error) + error = vfs_unlink(nd.dentry->d_inode, dentry); + if (!error && (saved_ino || saved_dev)) + gr_handle_delete(saved_ino, saved_dev); exit2: dput(dentry); } @@ -1803,7 +1923,15 @@ dentry = lookup_create(&nd, 0); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); + error = 0; + if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) + error = -EACCES; + + if (!error) + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); + + if (!error) + gr_handle_create(dentry, nd.mnt); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1887,7 +2015,20 @@ new_dentry = lookup_create(&nd, 0); error = PTR_ERR(new_dentry); if (!IS_ERR(new_dentry)) { - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); + error = 0; + if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt, + old_nd.dentry->d_inode, + old_nd.dentry->d_inode->i_mode, to)) + error = -EPERM; + if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt, + old_nd.dentry, old_nd.mnt, to)) + error = -EACCES; + if (!error) + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); + + if (!error) + gr_handle_create(new_dentry, nd.mnt); + dput(new_dentry); } up(&nd.dentry->d_inode->i_sem); @@ -2109,8 +2250,16 @@ if (new_dentry == trap) goto exit5; - error = vfs_rename(old_dir->d_inode, old_dentry, + error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt, + old_dentry, old_dir->d_inode, oldnd.mnt, + newname); + + if (!error) + error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); + if (!error) + gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry, + new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0); exit5: dput(new_dentry); exit4: diff -uNr linux-2.6.7-rc1.orig/fs/namespace.c linux-2.6.7-rc1/fs/namespace.c --- linux-2.6.7-rc1.orig/fs/namespace.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/fs/namespace.c 2004-05-25 14:33:58.726432552 +0200 @@ -21,6 +21,8 @@ #include #include #include +#include +#include #include #include @@ -402,6 +404,8 @@ lock_kernel(); retval = do_remount_sb(sb, MS_RDONLY, 0, 0); unlock_kernel(); + + gr_log_remount(mnt->mnt_devname, retval); } up_write(&sb->s_umount); return retval; @@ -430,6 +434,9 @@ if (retval) security_sb_umount_busy(mnt); up_write(¤t->namespace->sem); + + gr_log_unmount(mnt->mnt_devname, retval); + return retval; } @@ -852,6 +859,11 @@ if (retval) goto dput_out; + if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) { + retval = -EPERM; + goto dput_out; + } + if (flags & MS_REMOUNT) retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, data_page); @@ -864,6 +876,9 @@ dev_name, data_page); dput_out: path_release(&nd); + + gr_log_mount(dev_name, dir_name, retval); + return retval; } @@ -1086,6 +1101,9 @@ if (!capable(CAP_SYS_ADMIN)) return -EPERM; + if (gr_handle_chroot_pivot()) + return -EPERM; + lock_kernel(); error = __user_walk(new_root, LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd); diff -uNr linux-2.6.7-rc1.orig/fs/open.c linux-2.6.7-rc1/fs/open.c --- linux-2.6.7-rc1.orig/fs/open.c 2004-05-23 07:53:32.000000000 +0200 +++ linux-2.6.7-rc1/fs/open.c 2004-05-25 14:33:58.770425864 +0200 @@ -22,6 +22,7 @@ #include #include #include +#include #include @@ -191,7 +192,7 @@ return error; } -int do_truncate(struct dentry *dentry, loff_t length) +int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt) { int err; struct iattr newattrs; @@ -200,6 +201,9 @@ if (length < 0) return -EINVAL; + if (!gr_acl_handle_truncate(dentry, mnt)) + return -EACCES; + newattrs.ia_size = length; newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; down(&dentry->d_inode->i_sem); @@ -260,7 +264,7 @@ error = locks_verify_truncate(inode, NULL, length); if (!error) { DQUOT_INIT(inode); - error = do_truncate(nd.dentry, length); + error = do_truncate(nd.dentry, length, nd.mnt); } put_write_access(inode); @@ -312,7 +316,7 @@ error = locks_verify_truncate(inode, file, length); if (!error) - error = do_truncate(dentry, length); + error = do_truncate(dentry, length, file->f_vfsmnt); out_putf: fput(file); out: @@ -391,6 +395,11 @@ (error = permission(inode,MAY_WRITE,&nd)) != 0) goto dput_and_out; } + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) { + error = -EACCES; + goto dput_and_out; + } + down(&inode->i_sem); error = notify_change(nd.dentry, &newattrs); up(&inode->i_sem); @@ -444,6 +453,12 @@ (error = permission(inode,MAY_WRITE,&nd)) != 0) goto dput_and_out; } + + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) { + error = -EACCES; + goto dput_and_out; + } + down(&inode->i_sem); error = notify_change(nd.dentry, &newattrs); up(&inode->i_sem); @@ -505,6 +520,10 @@ if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode) && !special_file(nd.dentry->d_inode->i_mode)) res = -EROFS; + + if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode)) + res = -EACCES; + path_release(&nd); } @@ -528,6 +547,8 @@ if (error) goto dput_and_out; + gr_log_chdir(nd.dentry, nd.mnt); + set_fs_pwd(current->fs, nd.mnt, nd.dentry); dput_and_out: @@ -558,6 +579,13 @@ goto out_putf; error = permission(inode, MAY_EXEC, NULL); + + if (!error && !gr_chroot_fchdir(dentry, mnt)) + error = -EPERM; + + if (!error) + gr_log_chdir(dentry, mnt); + if (!error) set_fs_pwd(current->fs, mnt, dentry); out_putf: @@ -583,8 +611,16 @@ if (!capable(CAP_SYS_CHROOT)) goto dput_and_out; + if (gr_handle_chroot_chroot(nd.dentry, nd.mnt)) + goto dput_and_out; + set_fs_root(current->fs, nd.mnt, nd.dentry); set_fs_altroot(); + + gr_handle_chroot_caps(current); + + gr_handle_chroot_chdir(nd.dentry, nd.mnt); + error = 0; dput_and_out: path_release(&nd); @@ -613,9 +649,22 @@ err = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out_putf; + + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) { + err = -EACCES; + goto out_putf; + } + down(&inode->i_sem); if (mode == (mode_t) -1) mode = inode->i_mode; + + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) { + err = -EPERM; + up(&inode->i_sem); + goto out_putf; + } + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); @@ -647,9 +696,21 @@ if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto dput_and_out; + if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) { + error = -EACCES; + goto dput_and_out; + } + down(&inode->i_sem); if (mode == (mode_t) -1) mode = inode->i_mode; + + if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) { + error = -EACCES; + up(&inode->i_sem); + goto dput_and_out; + } + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.dentry, &newattrs); @@ -661,7 +722,7 @@ return error; } -static int chown_common(struct dentry * dentry, uid_t user, gid_t group) +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) { struct inode * inode; int error; @@ -678,6 +739,12 @@ error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out; + + if (!gr_acl_handle_chown(dentry, mnt)) { + error = -EACCES; + goto out; + } + newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; @@ -703,7 +770,7 @@ error = user_path_walk(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -716,7 +783,7 @@ error = user_path_walk_link(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -730,7 +797,8 @@ file = fget(fd); if (file) { - error = chown_common(file->f_dentry, user, group); + error = chown_common(file->f_dentry, user, + group, file->f_vfsmnt); fput(file); } return error; @@ -852,6 +920,7 @@ * N.B. For clone tasks sharing a files structure, this test * will limit the total number of files that can be opened. */ + gr_learn_resource(current, RLIMIT_NOFILE, fd, 0); if (fd >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; diff -uNr linux-2.6.7-rc1.orig/fs/proc/array.c linux-2.6.7-rc1/fs/proc/array.c --- linux-2.6.7-rc1.orig/fs/proc/array.c 2004-05-23 07:54:21.000000000 +0200 +++ linux-2.6.7-rc1/fs/proc/array.c 2004-05-25 14:33:58.797421760 +0200 @@ -323,6 +323,12 @@ wchan = get_wchan(task); +#if defined(CONFIG_GRKERNSEC_PROC_MEMMAP) || defined(CONFIG_GRKERNSEC_HIDESYM) + wchan = 0; + eip =0; + esp =0; +#endif + sigemptyset(&sigign); sigemptyset(&sigcatch); read_lock(&tasklist_lock); @@ -424,3 +430,14 @@ return sprintf(buffer,"%d %d %d %d %d %d %d\n", size, resident, shared, text, lib, data, 0); } + +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +int proc_pid_ipaddr(struct task_struct *task, char * buffer) +{ + int len; + + len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip)); + return len; +} +#endif + diff -uNr linux-2.6.7-rc1.orig/fs/proc/base.c linux-2.6.7-rc1/fs/proc/base.c --- linux-2.6.7-rc1.orig/fs/proc/base.c 2004-05-23 07:54:21.000000000 +0200 +++ linux-2.6.7-rc1/fs/proc/base.c 2004-05-25 14:33:58.811419632 +0200 @@ -32,6 +32,7 @@ #include #include #include +#include /* * For hysterical raisins we keep the same inumbers as in the old procfs. @@ -67,6 +68,9 @@ PROC_TGID_ATTR_EXEC, PROC_TGID_ATTR_FSCREATE, #endif +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + PROC_TGID_IPADDR, +#endif PROC_TGID_FD_DIR, PROC_TID_INO, PROC_TID_STATUS, @@ -117,6 +121,9 @@ E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO), E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO), E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO), +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR), +#endif #ifdef CONFIG_SECURITY E(PROC_TGID_ATTR, "attr", S_IFDIR|S_IRUGO|S_IXUGO), #endif @@ -181,6 +188,9 @@ int proc_pid_status(struct task_struct*,char*); int proc_pid_statm(struct task_struct*,char*); int proc_pid_cpu(struct task_struct*,char*); +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +int proc_pid_ipaddr(struct task_struct*,char*); +#endif static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt) { @@ -277,7 +287,7 @@ (task == current || \ (task->parent == current && \ (task->ptrace & PT_PTRACED) && task->state == TASK_STOPPED && \ - security_ptrace(current,task) == 0)) + security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task))) static int may_ptrace_attach(struct task_struct *task) { @@ -292,13 +302,15 @@ (current->uid != task->uid) || (current->gid != task->egid) || (current->gid != task->sgid) || - (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE)) + (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE)) goto out; rmb(); - if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE)) + if (!task->mm->dumpable && !capable_nolog(CAP_SYS_PTRACE)) goto out; if (security_ptrace(current, task)) goto out; + if (gr_handle_proc_ptrace(task)) + goto out; retval = 1; out: @@ -445,9 +457,22 @@ static int proc_permission(struct inode *inode, int mask, struct nameidata *nd) { + int ret; + struct task_struct *task; + if (vfs_permission(inode, mask) != 0) return -EACCES; - return proc_check_root(inode); + ret = proc_check_root(inode); + + if (ret) + return ret; + + task = proc_task(inode); + + if (!task) + return 0; + + return gr_acl_handle_procpidmem(task); } extern struct seq_operations proc_pid_maps_op; @@ -954,6 +979,9 @@ inode->i_uid = task->euid; inode->i_gid = task->egid; } +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#endif security_task_to_inode(task, inode); out: @@ -982,7 +1010,9 @@ if (pid_alive(task)) { if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) { inode->i_uid = task->euid; +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP inode->i_gid = task->egid; +#endif } else { inode->i_uid = 0; inode->i_gid = 0; @@ -1318,6 +1348,12 @@ inode->i_fop = &proc_info_file_operations; ei->op.proc_read = proc_pid_status; break; +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + case PROC_TGID_IPADDR: + inode->i_fop = &proc_info_file_operations; + ei->op.proc_read = proc_pid_ipaddr; + break; +#endif case PROC_TID_STAT: case PROC_TGID_STAT: inode->i_fop = &proc_info_file_operations; @@ -1567,6 +1603,22 @@ if (!task) goto out; + if (gr_check_hidden_task(task)) { + put_task_struct(task); + goto out; + } + +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + if (current->uid && (task->uid != current->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) { + put_task_struct(task); + goto out; + } +#endif + inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO); @@ -1574,7 +1626,15 @@ put_task_struct(task); goto out; } + +#ifdef CONFIG_GRKERNSEC_PROC_USER + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP; + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_nlink = 3; @@ -1658,6 +1718,9 @@ static int get_tgid_list(int index, unsigned long version, unsigned int *tgids) { struct task_struct *p; +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif int nr_tgids = 0; index--; @@ -1678,6 +1741,18 @@ int tgid = p->pid; if (!pid_alive(p)) continue; + if (gr_pid_is_chrooted(p)) + continue; + if (gr_check_hidden_task(p)) + continue; +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + if (tmp->uid && (p->uid != tmp->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) + continue; +#endif if (--index >= 0) continue; tgids[nr_tgids] = tgid; diff -uNr linux-2.6.7-rc1.orig/fs/proc/inode.c linux-2.6.7-rc1/fs/proc/inode.c --- linux-2.6.7-rc1.orig/fs/proc/inode.c 2004-05-23 07:54:43.000000000 +0200 +++ linux-2.6.7-rc1/fs/proc/inode.c 2004-05-25 14:33:58.814419176 +0200 @@ -209,7 +209,11 @@ if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = de->gid; +#endif } if (de->size) inode->i_size = de->size; diff -uNr linux-2.6.7-rc1.orig/fs/proc/proc_misc.c linux-2.6.7-rc1/fs/proc/proc_misc.c --- linux-2.6.7-rc1.orig/fs/proc/proc_misc.c 2004-05-23 07:53:35.000000000 +0200 +++ linux-2.6.7-rc1/fs/proc/proc_misc.c 2004-05-25 14:33:58.817418720 +0200 @@ -654,6 +654,8 @@ void __init proc_misc_init(void) { struct proc_dir_entry *entry; + int gr_mode = 0; + static struct { char *name; int (*read_proc)(char*,char**,off_t,int,int*,void*); @@ -668,9 +670,13 @@ #ifdef CONFIG_STRAM_PROC {"stram", stram_read_proc}, #endif +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"devices", devices_read_proc}, +#endif {"filesystems", filesystems_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"cmdline", cmdline_read_proc}, +#endif {"locks", locks_read_proc}, {"execdomains", execdomains_read_proc}, {NULL,} @@ -681,24 +687,39 @@ for (p = simple_ones; p->name; p++) create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); +#ifdef CONFIG_GRKERNSEC_PROC_USER + gr_mode = S_IRUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + gr_mode = S_IRUSR | S_IRGRP; +#endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD + create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL); + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL); +#endif + proc_symlink("mounts", NULL, "self/mounts"); /* And now for trickier ones */ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root); if (entry) entry->proc_fops = &proc_kmsg_operations; +#ifdef CONFIG_GRKERNSEC_PROC_ADD + create_seq_entry("cpuinfo", gr_mode, &proc_cpuinfo_operations); + create_seq_entry("slabinfo",gr_mode,&proc_slabinfo_operations); +#else create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations); + create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations); +#endif create_seq_entry("partitions", 0, &proc_partitions_operations); create_seq_entry("stat", 0, &proc_stat_operations); create_seq_entry("interrupts", 0, &proc_interrupts_operations); - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations); create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations); create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations); create_seq_entry("diskstats", 0, &proc_diskstats_operations); #ifdef CONFIG_MODULES - create_seq_entry("modules", 0, &proc_modules_operations); + create_seq_entry("modules", gr_mode, &proc_modules_operations); #endif -#ifdef CONFIG_PROC_KCORE +#if defined(CONFIG_PROC_KCORE) proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL); if (proc_root_kcore) { proc_root_kcore->proc_fops = &proc_kcore_operations; diff -uNr linux-2.6.7-rc1.orig/fs/proc/root.c linux-2.6.7-rc1/fs/proc/root.c --- linux-2.6.7-rc1.orig/fs/proc/root.c 2004-05-23 07:54:29.000000000 +0200 +++ linux-2.6.7-rc1/fs/proc/root.c 2004-05-25 14:33:58.819418416 +0200 @@ -52,13 +52,26 @@ return; } proc_misc_init(); + +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#else proc_net = proc_mkdir("net", NULL); +#endif #ifdef CONFIG_SYSVIPC proc_mkdir("sysvipc", NULL); #endif #ifdef CONFIG_SYSCTL +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_sys_root = proc_mkdir_mode("sys", S_IRUSR | S_IXUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_sys_root = proc_mkdir_mode("sys", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#else proc_sys_root = proc_mkdir("sys", NULL); #endif +#endif #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE) proc_mkdir("sys/fs", NULL); proc_mkdir("sys/fs/binfmt_misc", NULL); @@ -74,7 +87,15 @@ #ifdef CONFIG_PROC_DEVICETREE proc_device_tree_init(); #endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#endif +#else proc_bus = proc_mkdir("bus", NULL); +#endif } static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd) diff -uNr linux-2.6.7-rc1.orig/fs/readdir.c linux-2.6.7-rc1/fs/readdir.c --- linux-2.6.7-rc1.orig/fs/readdir.c 2004-05-23 07:54:17.000000000 +0200 +++ linux-2.6.7-rc1/fs/readdir.c 2004-05-25 14:33:58.841415072 +0200 @@ -15,6 +15,8 @@ #include #include #include +#include +#include #include @@ -65,6 +67,7 @@ struct readdir_callback { struct old_linux_dirent __user * dirent; int result; + struct nameidata nd; }; static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset, @@ -75,6 +78,10 @@ if (buf->result) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + buf->result++; dirent = buf->dirent; if (!access_ok(VERIFY_WRITE, (unsigned long)dirent, @@ -107,6 +114,9 @@ buf.result = 0; buf.dirent = dirent; + buf.nd.dentry = file->f_dentry; + buf.nd.mnt = file->f_vfsmnt; + error = vfs_readdir(file, fillonedir, &buf); if (error >= 0) error = buf.result; @@ -134,6 +144,7 @@ struct linux_dirent __user * previous; int count; int error; + struct nameidata nd; }; static int filldir(void * __buf, const char * name, int namlen, loff_t offset, @@ -146,6 +157,10 @@ buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + dirent = buf->previous; if (dirent) { if (__put_user(offset, &dirent->d_off)) @@ -193,6 +208,9 @@ buf.count = count; buf.error = 0; + buf.nd.dentry = file->f_dentry; + buf.nd.mnt = file->f_vfsmnt; + error = vfs_readdir(file, filldir, &buf); if (error < 0) goto out_putf; @@ -218,6 +236,7 @@ struct linux_dirent64 __user * previous; int count; int error; + struct nameidata nd; }; static int filldir64(void * __buf, const char * name, int namlen, loff_t offset, @@ -230,6 +249,10 @@ buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + dirent = buf->previous; if (dirent) { if (__put_user(offset, &dirent->d_off)) @@ -279,6 +302,9 @@ buf.count = count; buf.error = 0; + buf.nd.mnt = file->f_vfsmnt; + buf.nd.dentry = file->f_dentry; + error = vfs_readdir(file, filldir64, &buf); if (error < 0) goto out_putf; diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_alloc.c linux-2.6.7-rc1/grsecurity/gracl_alloc.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_alloc.c 2004-05-25 14:33:58.907405040 +0200 @@ -0,0 +1,93 @@ +/* stack-based acl allocation tracking (c) Brad Spengler 2002,2003 */ + +#include +#include +#include +#include +#include +#include + +static unsigned long alloc_stack_next = 1; +static unsigned long alloc_stack_size = 1; +static void **alloc_stack; + +static __inline__ int +alloc_pop(void) +{ + if (alloc_stack_next == 1) + return 0; + + kfree(alloc_stack[alloc_stack_next - 2]); + + alloc_stack_next--; + + return 1; +} + +static __inline__ void +alloc_push(void *buf) +{ + if (alloc_stack_next >= alloc_stack_size) + BUG(); + + alloc_stack[alloc_stack_next - 1] = buf; + + alloc_stack_next++; + + return; +} + +void * +acl_alloc(unsigned long len) +{ + void *ret; + + if (len > PAGE_SIZE) + BUG(); + + ret = kmalloc(len, GFP_KERNEL); + + if (ret) + alloc_push(ret); + + return ret; +} + +void +acl_free_all(void) +{ + if (gr_acl_is_enabled() || !alloc_stack) + return; + + while (alloc_pop()) ; + + if (alloc_stack) { + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE) + kfree(alloc_stack); + else + vfree(alloc_stack); + } + + alloc_stack = NULL; + alloc_stack_size = 1; + alloc_stack_next = 1; + + return; +} + +int +acl_alloc_stack_init(unsigned long size) +{ + if ((size * sizeof (void *)) <= PAGE_SIZE) + alloc_stack = + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL); + else + alloc_stack = (void **) vmalloc(size * sizeof (void *)); + + alloc_stack_size = size; + + if (!alloc_stack) + return 0; + else + return 1; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl.c linux-2.6.7-rc1/grsecurity/gracl.c --- linux-2.6.7-rc1.orig/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl.c 2004-05-25 14:33:58.905405344 +0200 @@ -0,0 +1,3311 @@ +/* + * grsecurity/gracl.c + * Copyright Brad Spengler 2001, 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +static struct acl_role_db acl_role_set; +static struct acl_role_label *role_list_head; +static struct name_db name_set; +static struct name_db inodev_set; + +/* for keeping track of userspace pointers used for subjects, so we + can share references in the kernel as well +*/ +static struct acl_subj_map_db subj_map_set; + +static struct acl_role_label *default_role; + +static u16 acl_sp_role_value; + +extern char *gr_shared_page[4]; +static DECLARE_MUTEX(gr_dev_sem); +rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED; + +struct gr_arg *gr_usermode; + +static unsigned long gr_status = GR_STATUS_INIT; + +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + +#ifdef CONFIG_GRKERNSEC_RESLOG +extern void gr_log_resource(const struct task_struct *task, + const int res, const unsigned long wanted, const int gt); +#endif + +extern char * __d_path(struct dentry *dentry, struct vfsmount *vfsmnt, + struct dentry *root, struct vfsmount *rootmnt, + char *buffer, int buflen); + +unsigned char *gr_system_salt; +unsigned char *gr_system_sum; + +static struct sprole_pw **acl_special_roles = NULL; +static __u16 num_sprole_pws = 0; + +static struct acl_role_label *kernel_role = NULL; + +/* The following are used to keep a place held in the hash table when we move + entries around. They can be replaced during insert. */ + +static struct acl_subject_label *deleted_subject; +static struct acl_object_label *deleted_object; +static struct name_entry *deleted_inodev; + +/* for keeping track of the last and final allocated subjects, since + nested subject parsing is tricky +*/ +static struct acl_subject_label *s_last = NULL; +static struct acl_subject_label *s_final = NULL; + +static unsigned int gr_auth_attempts = 0; +static unsigned long gr_auth_expires = 0UL; + +extern int gr_init_uidset(void); +extern void gr_free_uidset(void); +extern void gr_remove_uid(uid_t uid); +extern int gr_find_uid(uid_t uid); + +__inline__ int +gr_acl_is_enabled(void) +{ + return (gr_status & GR_READY); +} + +__inline__ int +gr_acl_tpe_check(void) +{ + if (unlikely(!(gr_status & GR_READY))) + return 0; + if (current->role->roletype & GR_ROLE_TPE) + return 1; + else + return 0; +} + +int +gr_handle_rawio(const struct inode *inode) +{ + if (inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO) && + ((gr_status & GR_READY) +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + || (grsec_enable_chroot_caps && proc_is_chrooted(current)) +#endif + )) + return 1; + return 0; +} + + +static __inline__ int +gr_streq(const char *a, const char *b, const __u16 lena, const __u16 lenb) +{ + int i; + unsigned long *l1; + unsigned long *l2; + unsigned char *c1; + unsigned char *c2; + int num_longs; + + if (likely(lena != lenb)) + return 0; + + l1 = (unsigned long *)a; + l2 = (unsigned long *)b; + + num_longs = lena / sizeof(unsigned long); + + for (i = num_longs; i--; l1++, l2++) { + if (unlikely(*l1 != *l2)) + return 0; + } + + c1 = (unsigned char *) l1; + c2 = (unsigned char *) l2; + + i = lena - (num_longs * sizeof(unsigned long)); + + for (; i--; c1++, c2++) { + if (unlikely(*c1 != *c2)) + return 0; + } + + return 1; +} + +static __inline__ char * +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt, + char *buf, int buflen) +{ + char *res; + struct dentry *our_dentry; + struct vfsmount *our_mount; + struct vfsmount *rootmnt; + struct dentry *root; + + our_dentry = (struct dentry *) dentry; + our_mount = (struct vfsmount *) vfsmnt; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + + res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen); + if (unlikely(IS_ERR(res))) + res = strcpy(buf, ""); + dput(root); + mntput(rootmnt); + return res; +} + +char * +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()), + PAGE_SIZE); +} + +static __inline__ char * +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt, + char *buf, int buflen) +{ + char *res; + struct dentry *our_dentry; + struct vfsmount *our_mount; + struct vfsmount *rootmnt; + struct dentry *root; + + our_dentry = (struct dentry *) dentry; + our_mount = (struct vfsmount *) vfsmnt; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + + spin_lock(&dcache_lock); + res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen); + spin_unlock(&dcache_lock); + if (unlikely(IS_ERR(res))) + res = strcpy(buf, ""); + dput(root); + mntput(rootmnt); + return res; +} + +char * +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()), + PAGE_SIZE); +} + +char * +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()), + PAGE_SIZE); +} + +char * +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()), + PAGE_SIZE); +} + +char * +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()), + PAGE_SIZE); +} + +__inline__ __u32 +to_gr_audit(const __u32 reqmode) +{ + __u32 retmode = 0; + + retmode |= (reqmode & GR_READ) ? GR_AUDIT_READ : 0; + retmode |= (reqmode & GR_WRITE) ? GR_AUDIT_WRITE | GR_AUDIT_APPEND : 0; + retmode |= (reqmode & GR_APPEND) ? GR_AUDIT_APPEND : 0; + retmode |= (reqmode & GR_EXEC) ? GR_AUDIT_EXEC : 0; + retmode |= (reqmode & GR_INHERIT) ? GR_AUDIT_INHERIT : 0; + retmode |= (reqmode & GR_FIND) ? GR_AUDIT_FIND : 0; + retmode |= (reqmode & GR_SETID) ? GR_AUDIT_SETID : 0; + retmode |= (reqmode & GR_CREATE) ? GR_AUDIT_CREATE : 0; + retmode |= (reqmode & GR_DELETE) ? GR_AUDIT_DELETE : 0; + + return retmode; +} + +__inline__ struct acl_subject_label * +lookup_subject_map(const struct acl_subject_label *userp) +{ + unsigned long index = shash(userp, subj_map_set.s_size); + struct subject_map *match; + __u8 i = 0; + + match = subj_map_set.s_hash[index]; + + while (match && match->user != userp) { + index = (index + (1 << i)) % subj_map_set.s_size; + match = subj_map_set.s_hash[index]; + i = (i + 1) % 32; + } + + if (match) + return match->kernel; + else + return NULL; +} + +static void +insert_subj_map_entry(struct subject_map *subjmap) +{ + unsigned long index = shash(subjmap->user, subj_map_set.s_size); + struct subject_map **curr; + __u8 i = 0; + + curr = &subj_map_set.s_hash[index]; + + while (*curr) { + index = (index + (1 << i)) % subj_map_set.s_size; + curr = &subj_map_set.s_hash[index]; + i = (i + 1) % 32; + } + + *curr = subjmap; + + return; +} + +__inline__ struct acl_role_label * +lookup_acl_role_label(const struct task_struct *task, const uid_t uid, + const gid_t gid) +{ + unsigned long index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size); + struct acl_role_label *match; + struct role_allowed_ip *ipp; + __u8 i = 0; + + match = acl_role_set.r_hash[index]; + + while (match + && (match->uidgid != uid || !(match->roletype & GR_ROLE_USER))) { + index = (index + (1 << i)) % acl_role_set.r_size; + match = acl_role_set.r_hash[index]; + i = (i + 1) % 32; + } + + if (match == NULL) { + try_group: + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); + match = acl_role_set.r_hash[index]; + i = 0; + + while (match && (match->uidgid != gid + || !(match->roletype & GR_ROLE_GROUP))) { + index = (index + (1 << i)) % acl_role_set.r_size; + match = acl_role_set.r_hash[index]; + i = (i + 1) % 32; + } + + if (match == NULL) + match = default_role; + if (match->allowed_ips == NULL) + return match; + else { + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) { + if (likely + ((task->curr_ip & ipp->netmask) == + (ipp->addr & ipp->netmask))) + return match; + } + match = default_role; + } + } else if (match->allowed_ips == NULL) { + return match; + } else { + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) { + if (likely + ((task->curr_ip & ipp->netmask) == + (ipp->addr & ipp->netmask))) + return match; + } + goto try_group; + } + + return match; +} + +__inline__ struct acl_subject_label * +lookup_acl_subj_label(const ino_t ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned long subj_size = role->subj_hash_size; + struct acl_subject_label **s_hash = role->subj_hash; + unsigned long index = fhash(ino, dev, subj_size); + struct acl_subject_label *match; + __u8 i = 0; + + match = s_hash[index]; + + while (match && (match->inode != ino || match->device != dev || + (match->mode & GR_DELETED))) { + index = (index + (1 << i)) % subj_size; + match = s_hash[index]; + i = (i + 1) % 32; + } + + if (match && (match != deleted_subject) && !(match->mode & GR_DELETED)) + return match; + else + return NULL; +} + +static __inline__ struct acl_object_label * +lookup_acl_obj_label(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned long obj_size = subj->obj_hash_size; + struct acl_object_label **o_hash = subj->obj_hash; + unsigned long index = fhash(ino, dev, obj_size); + struct acl_object_label *match; + __u8 i = 0; + + match = o_hash[index]; + + while (match && (match->inode != ino || match->device != dev || + (match->mode & GR_DELETED))) { + index = (index + (1 << i)) % obj_size; + match = o_hash[index]; + i = (i + 1) % 32; + } + + if (match && (match != deleted_object) && !(match->mode & GR_DELETED)) + return match; + else + return NULL; +} + +static __inline__ struct acl_object_label * +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned long obj_size = subj->obj_hash_size; + struct acl_object_label **o_hash = subj->obj_hash; + unsigned long index = fhash(ino, dev, obj_size); + struct acl_object_label *match; + __u8 i = 0; + + match = o_hash[index]; + + while (match && (match->inode != ino || match->device != dev || + !(match->mode & GR_DELETED))) { + index = (index + (1 << i)) % obj_size; + match = o_hash[index]; + i = (i + 1) % 32; + } + + if (match && (match != deleted_object) && (match->mode & GR_DELETED)) + return match; + + i = 0; + index = fhash(ino, dev, obj_size); + match = o_hash[index]; + + while (match && (match->inode != ino || match->device != dev || + (match->mode & GR_DELETED))) { + index = (index + (1 << i)) % obj_size; + match = o_hash[index]; + i = (i + 1) % 32; + } + + if (match && (match != deleted_object) && !(match->mode & GR_DELETED)) + return match; + else + return NULL; +} + +static __inline__ struct name_entry * +lookup_name_entry(const char *name) +{ + __u16 len = strlen(name); + unsigned long index = nhash(name, len, name_set.n_size); + struct name_entry *match; + __u8 i = 0; + + match = name_set.n_hash[index]; + + while (match && !gr_streq(match->name, name, match->len, len)) { + index = (index + (1 << i)) % name_set.n_size; + match = name_set.n_hash[index]; + i = (i + 1) % 32; + } + + return match; +} + +static __inline__ struct name_entry * +lookup_inodev_entry(const ino_t ino, const dev_t dev) +{ + unsigned long index = fhash(ino, dev, inodev_set.n_size); + struct name_entry *match; + __u8 i = 0; + + match = inodev_set.n_hash[index]; + + while (match && (match->inode != ino || match->device != dev)) { + index = (index + (1 << i)) % inodev_set.n_size; + match = inodev_set.n_hash[index]; + i = (i + 1) % 32; + } + + if (match && (match != deleted_inodev)) + return match; + else + return NULL; +} + +static void +insert_inodev_entry(struct name_entry *nentry) +{ + unsigned long index = fhash(nentry->inode, nentry->device, + inodev_set.n_size); + struct name_entry **curr; + __u8 i = 0; + + curr = &inodev_set.n_hash[index]; + + while (*curr && *curr != deleted_inodev) { + index = (index + (1 << i)) % inodev_set.n_size; + curr = &inodev_set.n_hash[index]; + i = (i + 1) % 32; + } + + *curr = nentry; + + return; +} + +static void +insert_acl_role_label(struct acl_role_label *role) +{ + unsigned long index = + rhash(role->uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); + struct acl_role_label **curr; + __u8 i = 0; + + curr = &acl_role_set.r_hash[index]; + + while (*curr) { + index = (index + (1 << i)) % acl_role_set.r_size; + curr = &acl_role_set.r_hash[index]; + i = (i + 1) % 32; + } + + *curr = role; + + return; +} + +static int +insert_name_entry(char *name, const ino_t inode, const dev_t device) +{ + struct name_entry **curr; + __u8 i = 0; + __u16 len = strlen(name); + unsigned long index = nhash(name, len, name_set.n_size); + + curr = &name_set.n_hash[index]; + + while (*curr && !gr_streq((*curr)->name, name, (*curr)->len, len)) { + index = (index + (1 << i)) % name_set.n_size; + curr = &name_set.n_hash[index]; + i = (i + 1) % 32; + } + + if (!(*curr)) { + struct name_entry *nentry = + acl_alloc(sizeof (struct name_entry)); + if (!nentry) + return 0; + nentry->name = name; + nentry->inode = inode; + nentry->device = device; + nentry->len = len; + *curr = nentry; + /* insert us into the table searchable by inode/dev */ + insert_inodev_entry(nentry); + } + + return 1; +} + +static void +insert_acl_obj_label(struct acl_object_label *obj, + struct acl_subject_label *subj) +{ + unsigned long index = + fhash(obj->inode, obj->device, subj->obj_hash_size); + struct acl_object_label **curr; + __u8 i = 0; + + curr = &subj->obj_hash[index]; + + while (*curr && *curr != deleted_object) { + index = (index + (1 << i)) % subj->obj_hash_size; + curr = &subj->obj_hash[index]; + i = (i + 1) % 32; + } + + *curr = obj; + + return; +} + +static void +insert_acl_subj_label(struct acl_subject_label *obj, + struct acl_role_label *role) +{ + unsigned long subj_size = role->subj_hash_size; + struct acl_subject_label **s_hash = role->subj_hash; + unsigned long index = fhash(obj->inode, obj->device, subj_size); + struct acl_subject_label **curr; + __u8 i = 0; + + curr = &s_hash[index]; + + while (*curr && *curr != deleted_subject) { + index = (index + (1 << i)) % subj_size; + curr = &s_hash[index]; + i = (i + 1) % 32; + } + + *curr = obj; + + return; +} + +static void ** +create_table(__u32 * len) +{ + unsigned long table_sizes[] = { + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381, + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143, + 4194301, 8388593, 16777213, 33554393, 67108859, 134217689, + 268435399, 536870909, 1073741789, 2147483647 + }; + void *newtable = NULL; + unsigned int pwr = 0; + + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) && + table_sizes[pwr] <= (2 * (*len))) + pwr++; + + if (table_sizes[pwr] <= (2 * (*len))) + return newtable; + + if ((table_sizes[pwr] * sizeof (void *)) <= PAGE_SIZE) + newtable = + kmalloc(table_sizes[pwr] * sizeof (void *), GFP_KERNEL); + else + newtable = vmalloc(table_sizes[pwr] * sizeof (void *)); + + *len = table_sizes[pwr]; + + return newtable; +} + +static int +init_variables(const unsigned long acl_obj_size, + const unsigned long acl_glob_size, + const unsigned long acl_subj_size, + const unsigned long acl_ip_size, + const unsigned long acl_role_size, + const unsigned long allowed_ip_size, + const unsigned long acl_trans_size, + const __u16 num_sprole_pws) +{ + unsigned long stacksize; + + subj_map_set.s_size = acl_subj_size; + acl_role_set.r_size = acl_role_size; + name_set.n_size = (acl_obj_size + acl_subj_size); + inodev_set.n_size = (acl_obj_size + acl_subj_size); + + if (!gr_init_uidset()) + return 1; + + /* set up the stack that holds allocation info */ + + stacksize = (3 * acl_obj_size) + (3 * acl_role_size) + + (6 * acl_subj_size) + acl_ip_size + (2 * acl_trans_size) + + allowed_ip_size + (2 * num_sprole_pws) + (2 * acl_glob_size) + 5; + + if (!acl_alloc_stack_init(stacksize)) + return 1; + + /* create our empty, fake deleted acls */ + deleted_subject = + (struct acl_subject_label *) + acl_alloc(sizeof (struct acl_subject_label)); + deleted_object = + (struct acl_object_label *) + acl_alloc(sizeof (struct acl_object_label)); + deleted_inodev = + (struct name_entry *) acl_alloc(sizeof (struct name_entry)); + + if (!deleted_subject || !deleted_object || !deleted_inodev) + return 1; + + memset(deleted_subject, 0, sizeof (struct acl_subject_label)); + memset(deleted_object, 0, sizeof (struct acl_object_label)); + memset(deleted_inodev, 0, sizeof (struct name_entry)); + + /* We only want 50% full tables for now */ + + subj_map_set.s_hash = + (struct subject_map **) create_table(&subj_map_set.s_size); + acl_role_set.r_hash = + (struct acl_role_label **) create_table(&acl_role_set.r_size); + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size); + inodev_set.n_hash = + (struct name_entry **) create_table(&inodev_set.n_size); + + if (!subj_map_set.s_hash || !acl_role_set.r_hash || + !name_set.n_hash || !inodev_set.n_hash) + return 1; + + memset(subj_map_set.s_hash, 0, + sizeof(struct subject_map *) * subj_map_set.s_size); + memset(acl_role_set.r_hash, 0, + sizeof (struct acl_role_label *) * acl_role_set.r_size); + memset(name_set.n_hash, 0, + sizeof (struct name_entry *) * name_set.n_size); + memset(inodev_set.n_hash, 0, + sizeof (struct name_entry *) * inodev_set.n_size); + + return 0; +} + +/* free information not needed after startup + currently contains user->kernel pointer mappings for subjects +*/ + +static void +free_init_variables(void) +{ + __u32 i; + + if (subj_map_set.s_hash) { + for (i = 0; i < subj_map_set.s_size; i++) { + if (subj_map_set.s_hash[i]) { + kfree(subj_map_set.s_hash[i]); + subj_map_set.s_hash[i] = NULL; + } + } + + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <= + PAGE_SIZE) + kfree(subj_map_set.s_hash); + else + vfree(subj_map_set.s_hash); + } + + return; +} + +static void +free_variables(void) +{ + struct acl_subject_label *s; + struct acl_role_label *r; + struct task_struct *task, *task2; + + gr_clear_learn_entries(); + + read_lock(&tasklist_lock); + for_each_process(task) { + task2 = task; + do { + task2->acl_sp_role = 0; + task2->acl_role_id = 0; + task2->acl = NULL; + task2->role = NULL; + } while ((task2 = next_thread(task2)) != task); + } + read_unlock(&tasklist_lock); + + /* free all object hash tables */ + + if (role_list_head) { + for (r = role_list_head; r; r = r->next) { + if (!r->subj_hash) + break; + for (s = r->hash->first; s; s = s->next) { + if (!s->obj_hash) + break; + if ((s->obj_hash_size * + sizeof (struct acl_object_label *)) <= + PAGE_SIZE) + kfree(s->obj_hash); + else + vfree(s->obj_hash); + } + if ((r->subj_hash_size * + sizeof (struct acl_subject_label *)) <= PAGE_SIZE) + kfree(r->subj_hash); + else + vfree(r->subj_hash); + } + } + + acl_free_all(); + + if (acl_role_set.r_hash) { + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <= + PAGE_SIZE) + kfree(acl_role_set.r_hash); + else + vfree(acl_role_set.r_hash); + } + if (name_set.n_hash) { + if ((name_set.n_size * sizeof (struct name_entry *)) <= + PAGE_SIZE) + kfree(name_set.n_hash); + else + vfree(name_set.n_hash); + } + + if (inodev_set.n_hash) { + if ((inodev_set.n_size * sizeof (struct name_entry *)) <= + PAGE_SIZE) + kfree(inodev_set.n_hash); + else + vfree(inodev_set.n_hash); + } + + gr_free_uidset(); + + memset(&name_set, 0, sizeof (struct name_db)); + memset(&inodev_set, 0, sizeof (struct name_db)); + memset(&acl_role_set, 0, sizeof (struct acl_role_db)); + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db)); + + role_list_head = NULL; + default_role = NULL; + + return; +} + +static __u32 +count_user_objs(struct acl_object_label *userp) +{ + struct acl_object_label o_tmp; + __u32 num = 0; + + while (userp) { + if (copy_from_user(&o_tmp, userp, + sizeof (struct acl_object_label))) + break; + + userp = o_tmp.prev; + num++; + } + + return num; +} + +static struct acl_subject_label * +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role); + +static int +copy_user_glob(struct acl_object_label *obj) +{ + struct acl_object_label *g_tmp, **guser, *glast = NULL; + unsigned int len; + char *tmp; + + if (obj->globbed == NULL) + return 0; + + guser = &obj->globbed; + while (*guser) { + g_tmp = (struct acl_object_label *) + acl_alloc(sizeof (struct acl_object_label)); + if (g_tmp == NULL) + return -ENOMEM; + + if (copy_from_user(g_tmp, *guser, + sizeof (struct acl_object_label))) + return -EFAULT; + + len = strnlen_user(g_tmp->filename, PATH_MAX); + + if (!len || len >= PATH_MAX) + return -EINVAL; + + if ((tmp = (char *) acl_alloc(len)) == NULL) + return -ENOMEM; + + if (copy_from_user(tmp, g_tmp->filename, len)) + return -EFAULT; + + g_tmp->filename = tmp; + + if (glast) + glast->next = g_tmp; + g_tmp->prev = glast; + *guser = g_tmp; + glast = g_tmp; + guser = &((*guser)->next); + } + + return 0; +} + +static int +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj, + struct acl_role_label *role) +{ + struct acl_object_label *o_tmp; + unsigned int len; + int ret; + char *tmp; + + while (userp) { + if ((o_tmp = (struct acl_object_label *) + acl_alloc(sizeof (struct acl_object_label))) == NULL) + return -ENOMEM; + + if (copy_from_user(o_tmp, userp, + sizeof (struct acl_object_label))) + return -EFAULT; + + userp = o_tmp->prev; + + len = strnlen_user(o_tmp->filename, PATH_MAX); + + if (!len || len >= PATH_MAX) + return -EINVAL; + + if ((tmp = (char *) acl_alloc(len)) == NULL) + return -ENOMEM; + + if (copy_from_user(tmp, o_tmp->filename, len)) + return -EFAULT; + + o_tmp->filename = tmp; + + insert_acl_obj_label(o_tmp, subj); + if (!insert_name_entry(o_tmp->filename, o_tmp->inode, + o_tmp->device)) + return -ENOMEM; + + ret = copy_user_glob(o_tmp); + if (ret) + return ret; + + if (o_tmp->nested) { + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role); + if (IS_ERR(o_tmp->nested)) + return PTR_ERR(o_tmp->nested); + + s_final = o_tmp->nested; + } + } + + return 0; +} + +static __u32 +count_user_subjs(struct acl_subject_label *userp) +{ + struct acl_subject_label s_tmp; + __u32 num = 0; + + while (userp) { + if (copy_from_user(&s_tmp, userp, + sizeof (struct acl_subject_label))) + break; + + userp = s_tmp.prev; + /* do not count nested subjects against this count, since + they are not included in the hash table, but are + attached to objects. We have already counted + the subjects in userspace for the allocation + stack + */ + if (!(s_tmp.mode & GR_NESTED)) + num++; + } + + return num; +} + +static int +copy_user_allowedips(struct acl_role_label *rolep) +{ + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast; + + ruserip = rolep->allowed_ips; + + while (ruserip) { + rlast = rtmp; + + if ((rtmp = (struct role_allowed_ip *) + acl_alloc(sizeof (struct role_allowed_ip))) == NULL) + return -ENOMEM; + + if (copy_from_user(rtmp, ruserip, + sizeof (struct role_allowed_ip))) + return -EFAULT; + + ruserip = rtmp->prev; + + if (!rlast) { + rtmp->prev = NULL; + rolep->allowed_ips = rtmp; + } else { + rlast->next = rtmp; + rtmp->prev = rlast; + } + + if (!ruserip) + rtmp->next = NULL; + } + + return 0; +} + +static int +copy_user_transitions(struct acl_role_label *rolep) +{ + struct role_transition *rusertp, *rtmp = NULL, *rlast; + unsigned int len; + char *tmp; + + rusertp = rolep->transitions; + + while (rusertp) { + rlast = rtmp; + + if ((rtmp = (struct role_transition *) + acl_alloc(sizeof (struct role_transition))) == NULL) + return -ENOMEM; + + if (copy_from_user(rtmp, rusertp, + sizeof (struct role_transition))) + return -EFAULT; + + rusertp = rtmp->prev; + + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN); + + if (!len || len >= GR_SPROLE_LEN) + return -EINVAL; + + if ((tmp = (char *) acl_alloc(len)) == NULL) + return -ENOMEM; + + if (copy_from_user(tmp, rtmp->rolename, len)) + return -EFAULT; + + rtmp->rolename = tmp; + + if (!rlast) { + rtmp->prev = NULL; + rolep->transitions = rtmp; + } else { + rlast->next = rtmp; + rtmp->prev = rlast; + } + + if (!rusertp) + rtmp->next = NULL; + } + + return 0; +} + +static struct acl_subject_label * +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role) +{ + struct acl_subject_label *s_tmp = NULL, *s_tmp2; + unsigned int len; + char *tmp; + __u32 num_objs; + struct acl_ip_label **i_tmp, *i_utmp2; + struct gr_hash_struct ghash; + struct subject_map *subjmap; + unsigned long i_num; + int err; + + s_tmp = lookup_subject_map(userp); + + /* we've already copied this subject into the kernel, just return + the reference to it, and don't copy it over again + */ + if (s_tmp) + return(s_tmp); + + + if ((s_tmp = (struct acl_subject_label *) + acl_alloc(sizeof (struct acl_subject_label))) == NULL) + return ERR_PTR(-ENOMEM); + + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL); + if (subjmap == NULL) + return ERR_PTR(-ENOMEM); + + subjmap->user = userp; + subjmap->kernel = s_tmp; + insert_subj_map_entry(subjmap); + + if (copy_from_user(s_tmp, userp, + sizeof (struct acl_subject_label))) + return ERR_PTR(-EFAULT); + + if (!s_last) { + s_tmp->prev = NULL; + role->hash->first = s_tmp; + } else { + s_last->next = s_tmp; + s_tmp->prev = s_last; + } + + s_last = s_tmp; + + len = strnlen_user(s_tmp->filename, PATH_MAX); + + if (!len || len >= PATH_MAX) + return ERR_PTR(-EINVAL); + + if ((tmp = (char *) acl_alloc(len)) == NULL) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(tmp, s_tmp->filename, len)) + return ERR_PTR(-EFAULT); + + s_tmp->filename = tmp; + + if (!strcmp(s_tmp->filename, "/")) + role->root_label = s_tmp; + + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct))) + return ERR_PTR(-EFAULT); + + /* copy user and group transition tables */ + + if (s_tmp->user_trans_num) { + uid_t *uidlist; + + uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t)); + if (uidlist == NULL) + return ERR_PTR(-ENOMEM); + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t))) + return ERR_PTR(-EFAULT); + + s_tmp->user_transitions = uidlist; + } + + if (s_tmp->group_trans_num) { + gid_t *gidlist; + + gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t)); + if (gidlist == NULL) + return ERR_PTR(-ENOMEM); + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t))) + return ERR_PTR(-EFAULT); + + s_tmp->group_transitions = gidlist; + } + + /* set up object hash table */ + num_objs = count_user_objs(ghash.first); + + s_tmp->obj_hash_size = num_objs; + s_tmp->obj_hash = + (struct acl_object_label **) + create_table(&(s_tmp->obj_hash_size)); + + if (!s_tmp->obj_hash) + return ERR_PTR(-ENOMEM); + + memset(s_tmp->obj_hash, 0, + s_tmp->obj_hash_size * + sizeof (struct acl_object_label *)); + + /* copy before adding in objects, since a nested + acl could be found and be the final subject + copied + */ + + s_final = s_tmp; + + /* add in objects */ + err = copy_user_objs(ghash.first, s_tmp, role); + + if (err) + return ERR_PTR(err); + + /* set pointer for parent subject */ + if (s_tmp->parent_subject) { + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role); + + if (IS_ERR(s_tmp2)) + return s_tmp2; + + s_tmp->parent_subject = s_tmp2; + } + + /* add in ip acls */ + + if (!s_tmp->ip_num) { + s_tmp->ips = NULL; + goto insert; + } + + i_tmp = + (struct acl_ip_label **) acl_alloc(s_tmp->ip_num * + sizeof (struct + acl_ip_label *)); + + if (!i_tmp) + return ERR_PTR(-ENOMEM); + + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) { + *(i_tmp + i_num) = + (struct acl_ip_label *) + acl_alloc(sizeof (struct acl_ip_label)); + if (!*(i_tmp + i_num)) + return ERR_PTR(-ENOMEM); + + if (copy_from_user + (&i_utmp2, s_tmp->ips + i_num, + sizeof (struct acl_ip_label *))) + return ERR_PTR(-EFAULT); + + if (copy_from_user + (*(i_tmp + i_num), i_utmp2, + sizeof (struct acl_ip_label))) + return ERR_PTR(-EFAULT); + } + + s_tmp->ips = i_tmp; + +insert: + if (!insert_name_entry(s_tmp->filename, s_tmp->inode, + s_tmp->device)) + return ERR_PTR(-ENOMEM); + + return s_tmp; +} + +static int +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role) +{ + struct acl_subject_label s_pre; + struct acl_subject_label * ret; + int err; + + while (userp) { + if (copy_from_user(&s_pre, userp, + sizeof (struct acl_subject_label))) + return -EFAULT; + + /* do not add nested subjects here, add + while parsing objects + */ + + if (s_pre.mode & GR_NESTED) { + userp = s_pre.prev; + continue; + } + + ret = do_copy_user_subj(userp, role); + + err = PTR_ERR(ret); + if (IS_ERR(ret)) + return err; + + insert_acl_subj_label(ret, role); + + userp = s_pre.prev; + } + + s_final->next = NULL; + + return 0; +} + +static int +copy_user_acl(struct gr_arg *arg) +{ + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2, *r_last; + struct sprole_pw *sptmp; + struct gr_hash_struct *ghash; + unsigned long r_num; + unsigned int len; + char *tmp; + int err = 0; + __u16 i; + __u32 num_subjs; + + /* we need a default and kernel role */ + if (arg->role_db.r_entries < 2) + return -EINVAL; + + /* copy special role authentication info from userspace */ + + num_sprole_pws = arg->num_sprole_pws; + acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *)); + + if (!acl_special_roles) { + err = -ENOMEM; + goto cleanup; + } + + for (i = 0; i < num_sprole_pws; i++) { + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw)); + if (!sptmp) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(sptmp, arg->sprole_pws + i, + sizeof (struct sprole_pw))) { + err = -EFAULT; + goto cleanup; + } + + len = + strnlen_user(sptmp->rolename, GR_SPROLE_LEN); + + if (!len || len >= GR_SPROLE_LEN) { + err = -EINVAL; + goto cleanup; + } + + if ((tmp = (char *) acl_alloc(len)) == NULL) { + err = -ENOMEM; + goto cleanup; + } + + if (copy_from_user(tmp, sptmp->rolename, len)) { + err = -EFAULT; + goto cleanup; + } + +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG + printk(KERN_ALERT "Copying special role %s\n", tmp); +#endif + sptmp->rolename = tmp; + acl_special_roles[i] = sptmp; + } + + r_utmp = (struct acl_role_label **) arg->role_db.r_table; + + for (r_num = 0; r_num < arg->role_db.r_entries; r_num++) { + r_last = r_tmp; + + r_tmp = acl_alloc(sizeof (struct acl_role_label)); + + if (!r_tmp) { + err = -ENOMEM; + goto cleanup; + } + + if (copy_from_user(&r_utmp2, r_utmp + r_num, + sizeof (struct acl_role_label *))) { + err = -EFAULT; + goto cleanup; + } + + if (copy_from_user(r_tmp, r_utmp2, + sizeof (struct acl_role_label))) { + err = -EFAULT; + goto cleanup; + } + + if (!r_last) { + r_tmp->prev = NULL; + role_list_head = r_tmp; + } else { + r_last->next = r_tmp; + r_tmp->prev = r_last; + } + + if (r_num == (arg->role_db.r_entries - 1)) + r_tmp->next = NULL; + + len = strnlen_user(r_tmp->rolename, PATH_MAX); + + if (!len || len >= PATH_MAX) { + err = -EINVAL; + goto cleanup; + } + + if ((tmp = (char *) acl_alloc(len)) == NULL) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(tmp, r_tmp->rolename, len)) { + err = -EFAULT; + goto cleanup; + } + r_tmp->rolename = tmp; + + if (!strcmp(r_tmp->rolename, "default") + && (r_tmp->roletype & GR_ROLE_DEFAULT)) { + default_role = r_tmp; + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) { + kernel_role = r_tmp; + } + + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) { + err = -EFAULT; + goto cleanup; + } + + r_tmp->hash = ghash; + + num_subjs = count_user_subjs(r_tmp->hash->first); + + r_tmp->subj_hash_size = num_subjs; + r_tmp->subj_hash = + (struct acl_subject_label **) + create_table(&(r_tmp->subj_hash_size)); + + if (!r_tmp->subj_hash) { + err = -ENOMEM; + goto cleanup; + } + + err = copy_user_allowedips(r_tmp); + if (err) + goto cleanup; + + err = copy_user_transitions(r_tmp); + if (err) + goto cleanup; + + memset(r_tmp->subj_hash, 0, + r_tmp->subj_hash_size * + sizeof (struct acl_subject_label *)); + + s_last = NULL; + + err = copy_user_subjs(r_tmp->hash->first, r_tmp); + + if (err) + goto cleanup; + + insert_acl_role_label(r_tmp); + } + + goto return_err; + cleanup: + free_variables(); + return_err: + return err; + +} + +static int +gracl_init(struct gr_arg *args) +{ + int error = 0; + + memcpy(gr_system_salt, args->salt, GR_SALT_LEN); + memcpy(gr_system_sum, args->sum, GR_SHA_LEN); + + if (init_variables(args->role_db.o_entries, args->role_db.g_entries, + args->role_db.s_entries, args->role_db.i_entries, + args->role_db.r_entries, args->role_db.a_entries, + args->role_db.t_entries, args->num_sprole_pws)) { + security_alert_good(GR_INITF_ACL_MSG, GR_VERSION); + error = -ENOMEM; + free_variables(); + goto out; + } + + error = copy_user_acl(args); + free_init_variables(); + if (error) { + free_variables(); + goto out; + } + + if ((error = gr_set_acls(0))) { + free_variables(); + goto out; + } + + gr_status |= GR_READY; + out: + return error; +} + +static int +glob_match(char *pattern, char *string) +{ + char *p1, *p2; + + p1 = pattern; + p2 = string; + + while (*p1 != '\0' && *p2 != '\0' && *p1 != '*') { + if (*p1 == *p2 || *p1 == '?') { + p1++; + p2++; + } else + break; + } + if (*p1 == '*') { + p1++; + while (*p2 != '\0') { + if (!glob_match(p1, p2)) + return 0; + else + p2++; + } + } + + if (*p2 == '\0' && *p1 == '*') + while (*p1 == '*') + p1++; + + if (*p1 == '\0' && *p2 == '\0') + return 0; + else + return 1; +} + +static struct acl_object_label * +chk_glob_label(struct acl_object_label *globbed, + struct dentry *dentry, struct vfsmount *mnt, char **path) +{ + struct acl_object_label *tmp; + + if (*path == NULL) + *path = gr_to_filename_nolock(dentry, mnt); + + tmp = globbed; + + while (tmp) { + if (!glob_match(tmp->filename, *path)) + return tmp; + tmp = tmp->next; + } + + return NULL; +} + +static __inline__ struct acl_object_label * +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt, + struct dentry *curr_dentry, + const struct acl_subject_label *subj, char **path) +{ + struct acl_subject_label *tmpsubj; + struct acl_object_label *retval; + struct acl_object_label *retval2; + + tmpsubj = (struct acl_subject_label *) subj; + read_lock(&gr_inode_lock); + do { + retval = lookup_acl_obj_label(curr_dentry->d_inode->i_ino, + curr_dentry->d_inode->i_sb->s_dev, tmpsubj); + if (retval) { + if (retval->globbed) { + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry, + (struct vfsmount *)orig_mnt, path); + if (retval2) + retval = retval2; + } + break; + } + } while ((tmpsubj = tmpsubj->parent_subject)); + read_unlock(&gr_inode_lock); + + return retval; +} + +static struct acl_object_label * +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, + const struct acl_subject_label *subj) +{ + struct dentry *dentry = (struct dentry *) l_dentry; + struct vfsmount *mnt = (struct vfsmount *) l_mnt; + struct dentry *root; + struct vfsmount *rootmnt; + struct acl_object_label *retval; + char *path = NULL; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + spin_lock(&dcache_lock); + + for (;;) { + if (dentry == root && mnt == rootmnt) + break; + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) { + if (mnt->mnt_parent == mnt) + break; + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + if (retval != NULL) + goto out; + + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + if (retval != NULL) + goto out; + + dentry = dentry->d_parent; + } + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + + if (retval == NULL) + retval = full_lookup(l_dentry, l_mnt, root, subj, &path); +out: + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + + return retval; +} + +static struct acl_object_label * +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, + const struct acl_subject_label *subj, char *path) +{ + struct dentry *dentry = (struct dentry *) l_dentry; + struct vfsmount *mnt = (struct vfsmount *) l_mnt; + struct dentry *root; + struct vfsmount *rootmnt; + struct acl_object_label *retval; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + spin_lock(&dcache_lock); + + for (;;) { + if (dentry == root && mnt == rootmnt) + break; + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) { + if (mnt->mnt_parent == mnt) + break; + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + if (retval != NULL) + goto out; + + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + if (retval != NULL) + goto out; + + dentry = dentry->d_parent; + } + + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path); + + if (retval == NULL) + retval = full_lookup(l_dentry, l_mnt, root, subj, &path); +out: + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + + return retval; +} + +static struct acl_subject_label * +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, + const struct acl_role_label *role) +{ + struct dentry *dentry = (struct dentry *) l_dentry; + struct vfsmount *mnt = (struct vfsmount *) l_mnt; + struct dentry *root; + struct vfsmount *rootmnt; + struct acl_subject_label *retval; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + spin_lock(&dcache_lock); + + for (;;) { + if (unlikely(dentry == root && mnt == rootmnt)) + break; + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) { + if (mnt->mnt_parent == mnt) + break; + + read_lock(&gr_inode_lock); + retval = + lookup_acl_subj_label(dentry->d_inode->i_ino, + dentry->d_inode->i_sb->s_dev, role); + read_unlock(&gr_inode_lock); + if (unlikely(retval != NULL)) + goto out; + + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + + read_lock(&gr_inode_lock); + retval = + lookup_acl_subj_label(dentry->d_inode->i_ino, + dentry->d_inode->i_sb->s_dev, role); + read_unlock(&gr_inode_lock); + if (unlikely(retval != NULL)) + goto out; + + dentry = dentry->d_parent; + } + + read_lock(&gr_inode_lock); + retval = + lookup_acl_subj_label(dentry->d_inode->i_ino, + dentry->d_inode->i_sb->s_dev, role); + read_unlock(&gr_inode_lock); + + if (unlikely(retval == NULL)) { + read_lock(&gr_inode_lock); + retval = + lookup_acl_subj_label(root->d_inode->i_ino, + root->d_inode->i_sb->s_dev, role); + read_unlock(&gr_inode_lock); + } + out: + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + + return retval; +} + +static __inline__ void +gr_log_learn(const struct acl_role_label *role, const uid_t uid, const gid_t gid, + const struct task_struct *task, const char *pathname, + const __u32 mode) +{ + security_learn(GR_LEARN_AUDIT_MSG, role->rolename, role->roletype, + uid, gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry, + task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename, + 1, 1, pathname, (unsigned long) mode, NIPQUAD(task->curr_ip)); + + return; +} + +__u32 +gr_check_link(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, + const struct dentry * old_dentry, const struct vfsmount * old_mnt) +{ + struct acl_object_label *obj; + __u32 oldmode, newmode; + + if (unlikely(!(gr_status & GR_READY))) + return (GR_WRITE | GR_CREATE); + + obj = chk_obj_label(old_dentry, old_mnt, current->acl); + oldmode = obj->mode; + + if (current->acl->mode & GR_LEARN) + oldmode |= (GR_WRITE | GR_CREATE); + newmode = + gr_check_create(new_dentry, parent_dentry, parent_mnt, + oldmode | GR_CREATE | GR_AUDIT_CREATE | + GR_AUDIT_WRITE | GR_SUPPRESS); + + if ((newmode & oldmode) == oldmode) + return newmode; + else if (current->acl->mode & GR_LEARN) { + gr_log_learn(current->role, current->uid, current->gid, + current, gr_to_filename(old_dentry, old_mnt), oldmode); + return (GR_WRITE | GR_CREATE); + } else if (newmode & GR_SUPPRESS) + return GR_SUPPRESS; + else + return 0; +} + +__u32 +gr_search_file(const struct dentry * dentry, const __u32 mode, + const struct vfsmount * mnt) +{ + __u32 retval = mode; + struct acl_subject_label *curracl; + struct acl_object_label *currobj; + + if (unlikely(!(gr_status & GR_READY))) + return (mode & ~GR_AUDITS); + + curracl = current->acl; + + currobj = chk_obj_label(dentry, mnt, curracl); + retval = currobj->mode & mode; + + if (unlikely + ((curracl->mode & GR_LEARN) && !(mode & GR_NOPTRACE) + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) { + __u32 new_mode = mode; + + new_mode &= ~(GR_AUDITS | GR_SUPPRESS); + + retval = new_mode; + + if (!(mode & GR_NOLEARN)) + gr_log_learn(current->role, current->uid, current->gid, + current, gr_to_filename(dentry, mnt), new_mode); + } + + return retval; +} + +__u32 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent, + const struct vfsmount * mnt, const __u32 mode) +{ + struct name_entry *match; + struct acl_object_label *matchpo; + struct acl_subject_label *curracl; + char *path; + __u32 retval; + + if (unlikely(!(gr_status & GR_READY))) + return (mode & ~GR_AUDITS); + + preempt_disable(); + path = gr_to_filename(new_dentry, mnt); + match = lookup_name_entry(path); + + if (!match) + goto check_parent; + + curracl = current->acl; + + read_lock(&gr_inode_lock); + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl); + read_unlock(&gr_inode_lock); + + if (matchpo) { + if ((matchpo->mode & mode) != + (mode & ~(GR_AUDITS | GR_SUPPRESS)) + && curracl->mode & GR_LEARN) { + __u32 new_mode = mode; + + new_mode &= ~(GR_AUDITS | GR_SUPPRESS); + + gr_log_learn(current->role, current->uid, current->gid, + current, gr_to_filename(new_dentry, mnt), new_mode); + + preempt_enable(); + return new_mode; + } + preempt_enable(); + return (matchpo->mode & mode); + } + + check_parent: + curracl = current->acl; + + matchpo = chk_obj_create_label(parent, mnt, curracl, path); + retval = matchpo->mode & mode; + + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))) + && (curracl->mode & GR_LEARN)) { + __u32 new_mode = mode; + + new_mode &= ~(GR_AUDITS | GR_SUPPRESS); + + gr_log_learn(current->role, current->uid, current->gid, + current, gr_to_filename(new_dentry, mnt), new_mode); + preempt_enable(); + return new_mode; + } + + preempt_enable(); + return retval; +} + +int +gr_check_hidden_task(const struct task_struct *task) +{ + if (unlikely(!(gr_status & GR_READY))) + return 0; + + if (!(task->acl->mode & GR_FIND) && !(current->acl->mode & GR_VIEW)) + return 1; + + return 0; +} + +int +gr_check_protected_task(const struct task_struct *task) +{ + if (unlikely(!(gr_status & GR_READY) || !task)) + return 0; + + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL)) + return 1; + + return 0; +} + +__inline__ void +gr_copy_label(struct task_struct *tsk) +{ + tsk->used_accept = 0; + tsk->acl_sp_role = 0; + tsk->acl_role_id = current->acl_role_id; + tsk->acl = current->acl; + tsk->role = current->role; + tsk->curr_ip = current->curr_ip; + if (current->exec_file) + get_file(current->exec_file); + tsk->exec_file = current->exec_file; + tsk->is_writable = current->is_writable; + if (unlikely(current->used_accept)) + current->curr_ip = 0; + + return; +} + +static __inline__ void +gr_set_proc_res(void) +{ + struct acl_subject_label *proc; + unsigned short i; + + proc = current->acl; + + if (proc->mode & GR_LEARN) + return; + + for (i = 0; i < RLIM_NLIMITS; i++) { + if (!(proc->resmask & (1 << i))) + continue; + + current->rlim[i].rlim_cur = proc->res[i].rlim_cur; + current->rlim[i].rlim_max = proc->res[i].rlim_max; + } + + return; +} + +static __inline__ void +do_set_role_label(struct task_struct *task, const uid_t uid, const gid_t gid) +{ + task->role = lookup_acl_role_label(task, uid, gid); + + return; +} + +int +gr_check_user_change(int real, int effective, int fs) +{ + unsigned int i; + __u16 num; + uid_t *uidlist; + int curuid; + int realok = 0; + int effectiveok = 0; + int fsok = 0; + + if (unlikely(!(gr_status & GR_READY))) + return 0; + + num = current->acl->user_trans_num; + uidlist = current->acl->user_transitions; + + if (uidlist == NULL) + return 0; + + if (real == -1) + realok = 1; + if (effective == -1) + effectiveok = 1; + if (fs == -1) + fsok = 1; + + if (current->acl->user_trans_type & GR_ID_ALLOW) { + for (i = 0; i < num; i++) { + curuid = (int)uidlist[i]; + if (real == curuid) + realok = 1; + if (effective == curuid) + effectiveok = 1; + if (fs == curuid) + fsok = 1; + } + } else if (current->acl->user_trans_type & GR_ID_DENY) { + for (i = 0; i < num; i++) { + curuid = (int)uidlist[i]; + if (real == curuid) + break; + if (effective == curuid) + break; + if (fs == curuid) + break; + } + /* not in deny list */ + if (i == num) { + realok = 1; + effectiveok = 1; + fsok = 1; + } + } + + if (realok && effectiveok && fsok) + return 0; + else { + security_alert(GR_USRCHANGE_ACL_MSG, + realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real, DEFAULTSECARGS); + return 1; + } +} + +int +gr_check_group_change(int real, int effective, int fs) +{ + unsigned int i; + __u16 num; + gid_t *gidlist; + int curgid; + int realok = 0; + int effectiveok = 0; + int fsok = 0; + + if (unlikely(!(gr_status & GR_READY))) + return 0; + + num = current->acl->group_trans_num; + gidlist = current->acl->group_transitions; + + if (gidlist == NULL) + return 0; + + if (real == -1) + realok = 1; + if (effective == -1) + effectiveok = 1; + if (fs == -1) + fsok = 1; + + if (current->acl->group_trans_type & GR_ID_ALLOW) { + for (i = 0; i < num; i++) { + curgid = (int)gidlist[i]; + if (real == curgid) + realok = 1; + if (effective == curgid) + effectiveok = 1; + if (fs == curgid) + fsok = 1; + } + } else if (current->acl->group_trans_type & GR_ID_DENY) { + for (i = 0; i < num; i++) { + curgid = (int)gidlist[i]; + if (real == curgid) + break; + if (effective == curgid) + break; + if (fs == curgid) + break; + } + /* not in deny list */ + if (i == num) { + realok = 1; + effectiveok = 1; + fsok = 1; + } + } + + if (realok && effectiveok && fsok) + return 0; + else { + security_alert(GR_GRPCHANGE_ACL_MSG, + realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real, DEFAULTSECARGS); + return 1; + } +} + +void +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +{ + struct acl_object_label *obj; + struct file *filp; + + if (unlikely(!(gr_status & GR_READY))) + return; + + filp = task->exec_file; + + /* kernel process, we'll give them the kernel role */ + if (unlikely(!filp)) { + task->role = kernel_role; + task->acl = kernel_role->root_label; + return; + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) + do_set_role_label(task, uid, gid); + + task->acl = + chk_subj_label(filp->f_dentry, filp->f_vfsmnt, task->role); + + task->is_writable = 0; + + /* ignore additional mmap checks for processes that are writable + by the default ACL */ + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + task->is_writable = 1; + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + task->is_writable = 1; + +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename); +#endif + + gr_set_proc_res(); + + return; +} + +void +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt) +{ + struct acl_subject_label *newacl; + struct acl_object_label *obj; + __u32 retmode; + + if (unlikely(!(gr_status & GR_READY))) + return; + + newacl = chk_subj_label(dentry, mnt, current->role); + + obj = chk_obj_label(dentry, mnt, current->acl); + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT); + + if ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT)) { + if (obj->nested) + current->acl = obj->nested; + else + current->acl = newacl; + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT) + security_audit(GR_INHERIT_ACL_MSG, current->acl->filename, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + + current->is_writable = 0; + + /* ignore additional mmap checks for processes that are writable + by the default ACL */ + obj = chk_obj_label(dentry, mnt, default_role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + current->is_writable = 1; + obj = chk_obj_label(dentry, mnt, current->role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + current->is_writable = 1; + + gr_set_proc_res(); + +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", current->comm, current->pid, current->role->rolename, current->acl->filename); +#endif + return; +} + +static __inline__ void +do_handle_delete(const ino_t ino, const dev_t dev) +{ + struct acl_object_label *matchpo; + struct acl_subject_label *matchps; + struct acl_subject_label *i; + struct acl_role_label *role; + + for (role = role_list_head; role; role = role->next) { + for (i = role->hash->first; i; i = i->next) { + if (unlikely((i->mode & GR_NESTED) && + (i->inode == ino) && + (i->device == dev))) + i->mode |= GR_DELETED; + if (unlikely((matchpo = + lookup_acl_obj_label(ino, dev, i)) != NULL)) + matchpo->mode |= GR_DELETED; + } + + if (unlikely((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)) + matchps->mode |= GR_DELETED; + } + + return; +} + +void +gr_handle_delete(const ino_t ino, const dev_t dev) +{ + if (unlikely(!(gr_status & GR_READY))) + return; + + write_lock(&gr_inode_lock); + if (unlikely((unsigned long)lookup_inodev_entry(ino, dev))) + do_handle_delete(ino, dev); + write_unlock(&gr_inode_lock); + + return; +} + +static __inline__ void +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice, + const ino_t newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ + unsigned long index = fhash(oldinode, olddevice, subj->obj_hash_size); + struct acl_object_label **match; + struct acl_object_label *tmp; + __u8 i = 0; + + match = &subj->obj_hash[index]; + + while (*match && ((*match)->inode != oldinode || + (*match)->device != olddevice || + !((*match)->mode & GR_DELETED))) { + index = (index + (1 << i)) % subj->obj_hash_size; + match = &subj->obj_hash[index]; + i = (i + 1) % 32; + } + + if (*match && ((*match) != deleted_object) + && ((*match)->inode == oldinode) + && ((*match)->device == olddevice) + && ((*match)->mode & GR_DELETED)) { + tmp = *match; + tmp->inode = newinode; + tmp->device = newdevice; + tmp->mode &= ~GR_DELETED; + + *match = deleted_object; + + insert_acl_obj_label(tmp, subj); + } + + return; +} + +static __inline__ void +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice, + const ino_t newinode, const dev_t newdevice, + struct acl_role_label *role) +{ + struct acl_subject_label **s_hash = role->subj_hash; + unsigned long subj_size = role->subj_hash_size; + unsigned long index = fhash(oldinode, olddevice, subj_size); + struct acl_subject_label **match; + struct acl_subject_label *tmp; + __u8 i = 0; + + match = &s_hash[index]; + + while (*match && ((*match)->inode != oldinode || + (*match)->device != olddevice || + !((*match)->mode & GR_DELETED))) { + index = (index + (1 << i)) % subj_size; + i = (i + 1) % 32; + match = &s_hash[index]; + } + + if (*match && (*match != deleted_subject) + && ((*match)->inode == oldinode) + && ((*match)->device == olddevice) + && ((*match)->mode & GR_DELETED)) { + tmp = *match; + + tmp->inode = newinode; + tmp->device = newdevice; + tmp->mode &= ~GR_DELETED; + + *match = deleted_subject; + + insert_acl_subj_label(tmp, role); + } + + return; +} + +static __inline__ void +update_inodev_entry(const ino_t oldinode, const dev_t olddevice, + const ino_t newinode, const dev_t newdevice) +{ + unsigned long index = fhash(oldinode, olddevice, inodev_set.n_size); + struct name_entry **match; + struct name_entry *tmp; + __u8 i = 0; + + match = &inodev_set.n_hash[index]; + + while (*match + && ((*match)->inode != oldinode + || (*match)->device != olddevice)) { + index = (index + (1 << i)) % inodev_set.n_size; + i = (i + 1) % 32; + match = &inodev_set.n_hash[index]; + } + + if (*match && (*match != deleted_inodev) + && ((*match)->inode == oldinode) + && ((*match)->device == olddevice)) { + tmp = *match; + + tmp->inode = newinode; + tmp->device = newdevice; + + *match = deleted_inodev; + + insert_inodev_entry(tmp); + } + + return; +} + +static __inline__ void +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry, + const struct vfsmount *mnt) +{ + struct acl_subject_label *i; + struct acl_role_label *role; + + for (role = role_list_head; role; role = role->next) { + update_acl_subj_label(matchn->inode, matchn->device, + dentry->d_inode->i_ino, + dentry->d_inode->i_sb->s_dev, role); + + for (i = role->hash->first; i; i = i->next) { + if (unlikely((i->mode & GR_NESTED) && + (i->inode == dentry->d_inode->i_ino) && + (i->device == dentry->d_inode->i_sb->s_dev))) { + i->inode = dentry->d_inode->i_ino; + i->device = dentry->d_inode->i_sb->s_dev; + } + update_acl_obj_label(matchn->inode, matchn->device, + dentry->d_inode->i_ino, + dentry->d_inode->i_sb->s_dev, i); + } + } + + update_inodev_entry(matchn->inode, matchn->device, + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev); + + return; +} + +void +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt) +{ + struct name_entry *matchn; + + if (unlikely(!(gr_status & GR_READY))) + return; + + preempt_disable(); + matchn = lookup_name_entry(gr_to_filename(dentry, mnt)); + preempt_enable(); + + if (unlikely((unsigned long)matchn)) { + write_lock(&gr_inode_lock); + do_handle_create(matchn, dentry, mnt); + write_unlock(&gr_inode_lock); + } + + return; +} + +void +gr_handle_rename(struct inode *old_dir, struct inode *new_dir, + struct dentry *old_dentry, + struct dentry *new_dentry, + struct vfsmount *mnt, const __u8 replace) +{ + struct name_entry *matchn; + + if (unlikely(!(gr_status & GR_READY))) + return; + + preempt_disable(); + matchn = lookup_name_entry(gr_to_filename(new_dentry, mnt)); + preempt_enable(); + + /* we wouldn't have to check d_inode if it weren't for + NFS silly-renaming + */ + + write_lock(&gr_inode_lock); + if (unlikely(replace && new_dentry->d_inode)) { + if (unlikely(lookup_inodev_entry(new_dentry->d_inode->i_ino, + new_dentry->d_inode->i_sb->s_dev) && + (old_dentry->d_inode->i_nlink <= 1))) + do_handle_delete(new_dentry->d_inode->i_ino, + new_dentry->d_inode->i_sb->s_dev); + } + + if (unlikely(lookup_inodev_entry(old_dentry->d_inode->i_ino, + old_dentry->d_inode->i_sb->s_dev) && + (old_dentry->d_inode->i_nlink <= 1))) + do_handle_delete(old_dentry->d_inode->i_ino, + old_dentry->d_inode->i_sb->s_dev); + + if (unlikely((unsigned long)matchn)) + do_handle_create(matchn, old_dentry, mnt); + write_unlock(&gr_inode_lock); + + return; +} + +static int +lookup_special_role_auth(const char *rolename, unsigned char **salt, + unsigned char **sum) +{ + struct acl_role_label *r; + struct role_transition *trans; + __u16 i; + int found = 0; + + /* check transition table */ + + for (trans = current->role->transitions; trans; trans = trans->next) { + if (!strcmp(rolename, trans->rolename)) { + found = 1; + break; + } + } + + if (!found) + return 0; + + /* handle special roles that do not require authentication */ + + for (r = role_list_head; r; r = r->next) { + if (!strcmp(rolename, r->rolename) + && (r->roletype & GR_ROLE_NOPW)) { + *salt = NULL; + *sum = NULL; + return 1; + } + } + + for (i = 0; i < num_sprole_pws; i++) { + if (!strcmp(rolename, acl_special_roles[i]->rolename)) { + *salt = acl_special_roles[i]->salt; + *sum = acl_special_roles[i]->sum; + return 1; + } + } + + return 0; +} + +static void +assign_special_role(char *rolename) +{ + struct acl_object_label *obj; + struct acl_role_label *r; + struct acl_role_label *assigned = NULL; + struct task_struct *tsk; + struct file *filp; + + for (r = role_list_head; r; r = r->next) + if (!strcmp(rolename, r->rolename) && + (r->roletype & GR_ROLE_SPECIAL)) + assigned = r; + + if (!assigned) + return; + + tsk = current->parent; + filp = tsk->exec_file; + + if (tsk && filp) { + tsk->is_writable = 0; + + acl_sp_role_value = (acl_sp_role_value % 65535) + 1; + tsk->acl_sp_role = 1; + tsk->acl_role_id = acl_sp_role_value; + tsk->role = assigned; + tsk->acl = + chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role); + + /* ignore additional mmap checks for processes that are writable + by the default ACL */ + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + tsk->is_writable = 1; + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + tsk->is_writable = 1; + +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid); +#endif + } + + return; +} + +ssize_t +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos) +{ + struct gr_arg *arg; + unsigned char *sprole_salt; + unsigned char *sprole_sum; + int error = sizeof (struct gr_arg); + int error2 = 0; + + down(&gr_dev_sem); + + arg = (struct gr_arg *) buf; + + if (count != sizeof (struct gr_arg)) { + security_alert_good(GR_DEV_ACL_MSG, count, + (int) sizeof (struct gr_arg)); + error = -EINVAL; + goto out; + } + + if ((gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) + && time_before_eq(gr_auth_expires, get_seconds())) { + gr_auth_expires = 0; + gr_auth_attempts = 0; + } + + if (copy_from_user(gr_usermode, arg, sizeof (struct gr_arg))) { + error = -EFAULT; + goto out; + } + + if (gr_usermode->mode != SPROLE && time_after(gr_auth_expires, get_seconds())) { + error = -EBUSY; + goto out; + } + + /* if non-root trying to do anything other than use a special role, + do not attempt authentication, do not count towards authentication + locking + */ + + if (gr_usermode->mode != SPROLE && current->uid) { + error = -EPERM; + goto out; + } + + /* ensure pw and special role name are null terminated */ + + gr_usermode->pw[GR_PW_LEN - 1] = '\0'; + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + + switch (gr_usermode->mode) { + case STATUS: + if (gr_status & GR_READY) + error = 1; + else + error = 2; + goto out; + case SHUTDOWN: + if ((gr_status & GR_READY) + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + gr_status &= ~GR_READY; + security_alert_good(GR_SHUTS_ACL_MSG, DEFAULTSECARGS); + free_variables(); + memset(gr_usermode, 0, sizeof (struct gr_arg)); + memset(gr_system_salt, 0, GR_SALT_LEN); + memset(gr_system_sum, 0, GR_SHA_LEN); + } else if (gr_status & GR_READY) { + security_alert(GR_SHUTF_ACL_MSG, DEFAULTSECARGS); + error = -EPERM; + } else { + security_alert_good(GR_SHUTI_ACL_MSG, DEFAULTSECARGS); + error = -EAGAIN; + } + break; + case ENABLE: + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode))) + security_alert_good(GR_ENABLE_ACL_MSG, GR_VERSION); + else { + if (gr_status & GR_READY) + error = -EAGAIN; + else + error = error2; + security_alert(GR_ENABLEF_ACL_MSG, GR_VERSION, + DEFAULTSECARGS); + } + break; + case RELOAD: + if (!(gr_status & GR_READY)) { + security_alert_good(GR_RELOADI_ACL_MSG); + error = -EAGAIN; + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + lock_kernel(); + gr_status &= ~GR_READY; + free_variables(); + if (!(error2 = gracl_init(gr_usermode))) { + unlock_kernel(); + security_alert_good(GR_RELOAD_ACL_MSG, + GR_VERSION); + } else { + unlock_kernel(); + error = error2; + security_alert(GR_RELOADF_ACL_MSG, GR_VERSION, + DEFAULTSECARGS); + } + } else { + security_alert(GR_RELOADF_ACL_MSG, GR_VERSION, + DEFAULTSECARGS); + error = -EPERM; + } + break; + case SEGVMOD: + if (unlikely(!(gr_status & GR_READY))) { + security_alert_good(GR_SEGVMODI_ACL_MSG, + DEFAULTSECARGS); + error = -EAGAIN; + break; + } + + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + security_alert_good(GR_SEGVMODS_ACL_MSG, + DEFAULTSECARGS); + if (gr_usermode->segv_device && gr_usermode->segv_inode) { + struct acl_subject_label *segvacl; + segvacl = + lookup_acl_subj_label(gr_usermode->segv_inode, + gr_usermode->segv_device, + current->role); + if (segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) { + gr_remove_uid(gr_usermode->segv_uid); + } + } else { + security_alert(GR_SEGVMODF_ACL_MSG, DEFAULTSECARGS); + error = -EPERM; + } + break; + case SPROLE: + if (unlikely(!(gr_status & GR_READY))) { + security_alert_good(GR_SPROLEI_ACL_MSG, DEFAULTSECARGS); + error = -EAGAIN; + break; + } + + if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) + && time_before_eq(current->role->expires, get_seconds())) { + current->role->expires = 0; + current->role->auth_attempts = 0; + } + + if (time_after(current->role->expires, get_seconds())) { + error = -EBUSY; + goto out; + } + + if (lookup_special_role_auth + (gr_usermode->sp_role, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + assign_special_role(gr_usermode->sp_role); + security_alert_good(GR_SPROLES_ACL_MSG, + (current->parent) ? current-> + parent->role->rolename : "", + acl_sp_role_value, DEFAULTSECARGS); + } else { + security_alert(GR_SPROLEF_ACL_MSG, gr_usermode->sp_role, + DEFAULTSECARGS); + error = -EPERM; + current->role->auth_attempts++; + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) { + current->role->expires = + get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; + security_alert(GR_MAXROLEPW_ACL_MSG, + CONFIG_GRKERNSEC_ACL_MAXTRIES, + gr_usermode->sp_role, DEFAULTSECARGS); + } + + goto out; + } + break; + case UNSPROLE: + if (unlikely(!(gr_status & GR_READY))) { + security_alert_good(GR_UNSPROLEI_ACL_MSG, DEFAULTSECARGS); + error = -EAGAIN; + break; + } + + if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) + && time_before_eq(current->role->expires, get_seconds())) { + current->role->expires = 0; + current->role->auth_attempts = 0; + } + + if (time_after(current->role->expires, get_seconds())) { + error = -EBUSY; + goto out; + } + + if ((current->role->roletype & GR_ROLE_SPECIAL) && + lookup_special_role_auth + (current->role->rolename, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + security_alert_good(GR_UNSPROLES_ACL_MSG, + (current->parent) ? current-> + parent->role->rolename : "", + (current->parent) ? current-> + parent->acl_role_id : 0, DEFAULTSECARGS); + gr_set_acls(1); + if (current->parent) + current->parent->acl_sp_role = 0; + } else { + security_alert(GR_UNSPROLEF_ACL_MSG, current->role->rolename, + DEFAULTSECARGS); + error = -EPERM; + current->role->auth_attempts++; + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) { + current->role->expires = + get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; + security_alert(GR_MAXROLEPW_ACL_MSG, + CONFIG_GRKERNSEC_ACL_MAXTRIES, + current->role->rolename, DEFAULTSECARGS); + } + + goto out; + } + break; + default: + security_alert(GR_INVMODE_ACL_MSG, gr_usermode->mode, + DEFAULTSECARGS); + error = -EINVAL; + break; + } + + if (error != -EPERM) + goto out; + + gr_auth_attempts++; + + if (gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) { + security_alert(GR_MAXPW_ACL_MSG, CONFIG_GRKERNSEC_ACL_MAXTRIES); + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; + } + + out: + up(&gr_dev_sem); + return error; +} + +int +gr_set_acls(const int type) +{ + struct acl_object_label *obj; + struct task_struct *task, *task2; + struct file *filp; + unsigned short i; + + read_lock(&tasklist_lock); + for_each_process(task2) { + task = task2; + do { + /* check to see if we're called from the exit handler, + if so, only replace ACLs that have inherited the admin + ACL */ + + if (type && (task->role != current->role || + task->acl_role_id != current->acl_role_id)) + continue; + + task->acl_role_id = 0; + + if ((filp = task->exec_file)) { + do_set_role_label(task, task->uid, task->gid); + + task->acl = + chk_subj_label(filp->f_dentry, filp->f_vfsmnt, + task->role); + if (task->acl) { + struct acl_subject_label *curr; + curr = task->acl; + + task->is_writable = 0; + /* ignore additional mmap checks for processes that are writable + by the default ACL */ + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + task->is_writable = 1; + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label); + if (unlikely(obj->mode & GR_WRITE)) + task->is_writable = 1; + +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename); +#endif + if (!(curr->mode & GR_LEARN)) + for (i = 0; i < RLIM_NLIMITS; i++) { + if (!(curr->resmask & (1 << i))) + continue; + + task->rlim[i].rlim_cur = + curr->res[i].rlim_cur; + task->rlim[i].rlim_max = + curr->res[i].rlim_max; + } + } else { + read_unlock(&tasklist_lock); + security_alert_good(GR_DEFACL_MSG, task->comm, + task->pid); + return 1; + } + } else { + // it's a kernel process + task->role = kernel_role; + task->acl = kernel_role->root_label; +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN + task->acl->mode &= ~GR_FIND; +#endif + } + } while ((task = next_thread(task)) != task2); + } + read_unlock(&tasklist_lock); + return 0; +} + +EXPORT_SYMBOL(gr_learn_resource); + +void +gr_learn_resource(const struct task_struct *task, + const int res, const unsigned long wanted, const int gt) +{ + struct acl_subject_label *acl; + + if (unlikely((gr_status & GR_READY) && + task->acl && (task->acl->mode & GR_LEARN))) + goto skip_reslog; + +#ifdef CONFIG_GRKERNSEC_RESLOG + gr_log_resource(task, res, wanted, gt); +#endif + skip_reslog: + + if (unlikely(!(gr_status & GR_READY) || !wanted)) + return; + + acl = task->acl; + + if (likely(!acl || !(acl->mode & GR_LEARN) || + !(acl->resmask & (1 << (unsigned short) res)))) + return; + + if (wanted >= acl->res[res].rlim_cur) { + unsigned long res_add; + + res_add = wanted; + switch (res) { + case RLIMIT_CPU: + res_add += GR_RLIM_CPU_BUMP; + break; + case RLIMIT_FSIZE: + res_add += GR_RLIM_FSIZE_BUMP; + break; + case RLIMIT_DATA: + res_add += GR_RLIM_DATA_BUMP; + break; + case RLIMIT_STACK: + res_add += GR_RLIM_STACK_BUMP; + break; + case RLIMIT_CORE: + res_add += GR_RLIM_CORE_BUMP; + break; + case RLIMIT_RSS: + res_add += GR_RLIM_RSS_BUMP; + break; + case RLIMIT_NPROC: + res_add += GR_RLIM_NPROC_BUMP; + break; + case RLIMIT_NOFILE: + res_add += GR_RLIM_NOFILE_BUMP; + break; + case RLIMIT_MEMLOCK: + res_add += GR_RLIM_MEMLOCK_BUMP; + break; + case RLIMIT_AS: + res_add += GR_RLIM_AS_BUMP; + break; + case RLIMIT_LOCKS: + res_add += GR_RLIM_LOCKS_BUMP; + break; + } + + acl->res[res].rlim_cur = res_add; + + if (wanted > acl->res[res].rlim_max) + acl->res[res].rlim_max = res_add; + + security_learn(GR_LEARN_AUDIT_MSG, current->role->rolename, + current->role->roletype, acl->filename, + acl->res[res].rlim_cur, acl->res[res].rlim_max, + "", (unsigned long) res); + } + + return; +} + +#ifdef CONFIG_SYSCTL +extern struct proc_dir_entry *proc_sys_root; + + +/* the following function is called under the BKL */ + +__u32 +gr_handle_sysctl(const struct ctl_table *table, const void *oldval, + const void *newval) +{ + struct proc_dir_entry *tmp; + struct nameidata nd; + const char *proc_sys = "/proc/sys"; + char *path; + struct acl_object_label *obj; + unsigned short len = 0, pos = 0, depth = 0, i; + __u32 err = 0; + __u32 mode = 0; + + if (unlikely(!(gr_status & GR_READY))) + return 1; + + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id()); + + if (oldval) + mode |= GR_READ; + if (newval) + mode |= GR_WRITE; + + /* convert the requested sysctl entry into a pathname */ + + for (tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) { + len += strlen(tmp->name); + len++; + depth++; + } + + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) + return 0; /* deny */ + + memset(path, 0, PAGE_SIZE); + + memcpy(path, proc_sys, strlen(proc_sys)); + + pos += strlen(proc_sys); + + for (; depth > 0; depth--) { + path[pos] = '/'; + pos++; + for (i = 1, tmp = table->de; tmp != proc_sys_root; + tmp = tmp->parent) { + if (depth == i) { + memcpy(path + pos, tmp->name, + strlen(tmp->name)); + pos += strlen(tmp->name); + } + i++; + } + } + + err = path_lookup(path, LOOKUP_FOLLOW, &nd); + + if (err) + goto out; + + obj = chk_obj_label(nd.dentry, nd.mnt, current->acl); + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS); + + if (unlikely((current->acl->mode & GR_LEARN) && ((err & mode) != mode))) { + __u32 new_mode = mode; + + new_mode &= ~(GR_AUDITS | GR_SUPPRESS); + + err = new_mode; + gr_log_learn(current->role, current->uid, current->gid, + current, path, new_mode); + } else if ((err & mode) != mode && !(err & GR_SUPPRESS)) { + security_alert(GR_SYSCTL_ACL_MSG, "denied", path, + (mode & GR_READ) ? " reading" : "", + (mode & GR_WRITE) ? " writing" : "", + DEFAULTSECARGS); + err = 0; + } else if ((err & mode) != mode) { + err = 0; + } else if (((err & mode) == mode) && (err & GR_AUDITS)) { + security_audit(GR_SYSCTL_ACL_MSG, "successful", + path, (mode & GR_READ) ? " reading" : "", + (mode & GR_WRITE) ? " writing" : "", + DEFAULTSECARGS); + } + + path_release(&nd); + + out: + return err; +} +#endif + +int +gr_handle_proc_ptrace(struct task_struct *task) +{ + struct file *filp; + struct task_struct *tmp = task; + struct task_struct *curtemp = current; + __u32 retmode; + + if (unlikely(!(gr_status & GR_READY))) + return 0; + + filp = task->exec_file; + + read_lock(&tasklist_lock); + while (tmp->pid > 0) { + if (tmp == curtemp) + break; + tmp = tmp->parent; + } + read_unlock(&tasklist_lock); + + if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) + return 1; + + retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt); + + if (retmode & GR_NOPTRACE) + return 1; + + if (!(current->acl->mode & GR_OVERRIDE) && !(current->role->roletype & GR_ROLE_GOD) + && (current->acl != task->acl || (current->acl != current->role->root_label + && current->pid != task->pid))) + return 1; + + return 0; +} + +int +gr_handle_ptrace(struct task_struct *task, const long request) +{ + struct file *filp; + struct task_struct *tmp = task; + struct task_struct *curtemp = current; + __u32 retmode; + + if (unlikely(!(gr_status & GR_READY))) + return 0; + + filp = task->exec_file; + + if (task->acl->mode & GR_NOPTRACE) { + security_alert(GR_PTRACE_ACL_MSG, filp ? + gr_to_filename(filp->f_dentry, filp->f_vfsmnt) + : "(none)", task->comm, task->pid, + DEFAULTSECARGS); + return 1; + } + + read_lock(&tasklist_lock); + while (tmp->pid > 0) { + if (tmp == curtemp) + break; + tmp = tmp->parent; + } + read_unlock(&tasklist_lock); + + if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) { + security_alert(GR_PTRACE_ACL_MSG, filp ? + gr_to_filename(filp->f_dentry, filp->f_vfsmnt) + : "(none)", task->comm, task->pid, + DEFAULTSECARGS); + return 1; + } + + if (unlikely(!filp)) + return 0; + + retmode = gr_search_file(filp->f_dentry, GR_PTRACERD | GR_NOPTRACE, filp->f_vfsmnt); + + if (retmode & GR_NOPTRACE) { + security_alert(GR_PTRACE_ACL_MSG, gr_to_filename(filp->f_dentry, filp->f_vfsmnt), + task->comm, task->pid, DEFAULTSECARGS); + return 1; + } + + if (retmode & GR_PTRACERD) { + switch (request) { + case PTRACE_POKETEXT: + case PTRACE_POKEDATA: + case PTRACE_POKEUSR: +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) + case PTRACE_SETREGS: + case PTRACE_SETFPREGS: +#endif +#ifdef CONFIG_X86 + case PTRACE_SETFPXREGS: +#endif +#ifdef CONFIG_ALTIVEC + case PTRACE_SETVRREGS: +#endif + return 1; + default: + return 0; + } + } else if (!(current->acl->mode & GR_OVERRIDE) && + !(current->role->roletype & GR_ROLE_GOD) + && (current->acl != task->acl + || (current->acl != current->role->root_label + && current->pid != task->pid))) { + security_alert(GR_PTRACE_ACL_MSG, + gr_to_filename(filp->f_dentry, filp->f_vfsmnt), + task->comm, task->pid, DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int +gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ + __u32 retmode; + struct acl_subject_label *subj; + + if (unlikely(!(gr_status & GR_READY))) + return 0; + + if (unlikely + ((current->ptrace & PT_PTRACED) + && !(current->acl->mode & GR_OVERRIDE))) + retmode = gr_search_file(dentry, GR_PTRACERD, mnt); + else + return 0; + + subj = chk_subj_label(dentry, mnt, current->role); + + if (!(retmode & GR_PTRACERD) && + !(current->role->roletype & GR_ROLE_GOD) && + (current->acl != subj)) { + security_alert(GR_PTRACE_EXEC_ACL_MSG, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int +gr_handle_mmap(const struct file *filp, const unsigned long prot) +{ + struct acl_object_label *obj, *obj2; + + if (unlikely(!(gr_status & GR_READY) || + (current->acl->mode & GR_OVERRIDE) || !filp || + !(prot & PROT_EXEC))) + return 0; + + if (unlikely(current->is_writable)) + return 0; + + obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label); + obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, + current->role->root_label); + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) { + security_alert(GR_WRITLIB_ACL_MSG, + gr_to_filename(filp->f_dentry, filp->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int +gr_acl_handle_mmap(const struct file *file, const unsigned long prot) +{ + __u32 mode; + + if (unlikely(!file || !(prot & PROT_EXEC))) + return 1; + + mode = + gr_search_file(file->f_dentry, + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS, + file->f_vfsmnt); + + if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) { + security_alert(GR_MMAP_ACL_MSG, "denied", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) { + return 0; + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) { + security_audit(GR_MMAP_ACL_MSG, "successful", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 1; +} + +int +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot) +{ + __u32 mode; + + if (unlikely(!file || !(prot & PROT_EXEC))) + return 1; + + mode = + gr_search_file(file->f_dentry, + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS, + file->f_vfsmnt); + + if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) { + security_alert(GR_MPROTECT_ACL_MSG, "denied", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) { + return 0; + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) { + security_audit(GR_MPROTECT_ACL_MSG, "successful", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 1; +} + +void +gr_acl_handle_psacct(struct task_struct *task, const long code) +{ + u64 runtime64; + unsigned long runtime; + unsigned long cputime; + unsigned int wday, cday; + __u8 whr, chr; + __u8 wmin, cmin; + __u8 wsec, csec; + char cur_tty[64] = { 0 }; + char parent_tty[64] = { 0 }; + + if (unlikely(!(gr_status & GR_READY) || !task->acl || + !(task->acl->mode & GR_PROCACCT))) + return; + + runtime64 = get_jiffies_64() - task->start_time; + do_div(runtime64, HZ); + runtime = (unsigned long)runtime64; + wday = runtime / (3600 * 24); + runtime -= wday * (3600 * 24); + whr = runtime / 3600; + runtime -= whr * 3600; + wmin = runtime / 60; + runtime -= wmin * 60; + wsec = runtime; + + cputime = (task->utime + task->stime) / HZ; + cday = cputime / (3600 * 24); + cputime -= cday * (3600 * 24); + chr = cputime / 3600; + cputime -= chr * 3600; + cmin = cputime / 60; + cputime -= cmin * 60; + csec = cputime; + + security_audit(GR_ACL_PROCACCT_MSG, gr_task_fullpath(task), task->comm, + task->pid, NIPQUAD(task->curr_ip), tty_name(task->signal->tty, + cur_tty), + task->uid, task->euid, task->gid, task->egid, wday, whr, + wmin, wsec, cday, chr, cmin, csec, + (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", + code, gr_parent_task_fullpath(task), + task->parent->comm, task->parent->pid, + NIPQUAD(task->parent->curr_ip), + tty_name(task->parent->signal->tty, parent_tty), + task->parent->uid, task->parent->euid, task->parent->gid, + task->parent->egid); + + return; +} + +EXPORT_SYMBOL(gr_set_kernel_label); + +void gr_set_kernel_label(struct task_struct *task) +{ + if (gr_status & GR_READY) { + task->role = kernel_role; + task->acl = kernel_role->root_label; + } + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_cap.c linux-2.6.7-rc1/grsecurity/gracl_cap.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_cap.c 2004-05-25 14:33:58.909404736 +0200 @@ -0,0 +1,115 @@ +/* capability handling routines, (c) Brad Spengler 2002,2003 */ + +#include +#include +#include +#include +#include +#include +#include + +static const char *captab_log[29] = { + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE" +}; + +EXPORT_SYMBOL(gr_task_is_capable); + +int +gr_task_is_capable(struct task_struct *task, const int cap) +{ + struct acl_subject_label *curracl; + __u32 cap_drop = 0, cap_mask = 0; + + if (!gr_acl_is_enabled()) + return 1; + + curracl = task->acl; + + cap_drop = curracl->cap_lower; + cap_mask = curracl->cap_mask; + + while ((curracl = curracl->parent_subject)) { + cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask); + cap_mask |= curracl->cap_mask; + } + + if (!cap_raised(cap_drop, cap)) + return 1; + + curracl = task->acl; + + if ((curracl->mode & GR_LEARN) + && cap_raised(task->cap_effective, cap)) { + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, + task->role->roletype, task->uid, + task->gid, task->exec_file ? + gr_to_filename(task->exec_file->f_dentry, + task->exec_file->f_vfsmnt) : curracl->filename, + curracl->filename, 0UL, + 0UL, "", (unsigned long) cap, NIPQUAD(task->curr_ip)); + return 1; + } + + if ((cap >= 0) && (cap < 29) && cap_raised(task->cap_effective, cap)) + security_alert(GR_CAP_ACL_MSG, captab_log[cap], + gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, + task->gid, task->egid, gr_parent_task_fullpath(task), + task->parent->comm, task->parent->pid, task->parent->uid, + task->parent->euid, task->parent->gid, task->parent->egid); + + return 0; +} + +int +gr_is_capable_nolog(const int cap) +{ + struct acl_subject_label *curracl; + __u32 cap_drop = 0, cap_mask = 0; + + if (!gr_acl_is_enabled()) + return 1; + + curracl = current->acl; + + cap_drop = curracl->cap_lower; + cap_mask = curracl->cap_mask; + + while ((curracl = curracl->parent_subject)) { + cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask); + cap_mask |= curracl->cap_mask; + } + + if (!cap_raised(cap_drop, cap)) + return 1; + + return 0; +} + diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_fs.c linux-2.6.7-rc1/grsecurity/gracl_fs.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_fs.c 2004-05-25 14:33:58.913404128 +0200 @@ -0,0 +1,460 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +__u32 +gr_acl_handle_hidden_file(const struct dentry * dentry, + const struct vfsmount * mnt) +{ + __u32 mode; + + if (unlikely(!dentry->d_inode)) + return GR_FIND; + + mode = + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt); + + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) { + security_audit(GR_HIDDEN_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return mode; + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) { + security_alert(GR_HIDDEN_ACL_MSG, "denied", + gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + return 0; + } else if (unlikely(!(mode & GR_FIND))) + return 0; + + return GR_FIND; +} + +__u32 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt, + const int fmode) +{ + __u32 reqmode = GR_FIND; + __u32 mode; + + if (unlikely(!dentry->d_inode)) + return reqmode; + + if (unlikely(fmode & O_APPEND)) + reqmode |= GR_APPEND; + else if (unlikely(fmode & FMODE_WRITE)) + reqmode |= GR_WRITE; + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY))) + reqmode |= GR_READ; + + mode = + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, + mnt); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_OPEN_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return reqmode; + } else + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS))) + { + security_alert(GR_OPEN_ACL_MSG, "denied", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : reqmode & + GR_APPEND ? " appending" : "", DEFAULTSECARGS); + return 0; + } else if (unlikely((mode & reqmode) != reqmode)) + return 0; + + return reqmode; +} + +__u32 +gr_acl_handle_creat(const struct dentry * dentry, + const struct dentry * p_dentry, + const struct vfsmount * p_mnt, const int fmode, + const int imode) +{ + __u32 reqmode = GR_WRITE | GR_CREATE; + __u32 mode; + + if (unlikely(fmode & O_APPEND)) + reqmode |= GR_APPEND; + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY))) + reqmode |= GR_READ; + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID)))) + reqmode |= GR_SETID; + + mode = + gr_check_create(dentry, p_dentry, p_mnt, + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_CREATE_ACL_MSG, "successful", + gr_to_filename(dentry, p_mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return reqmode; + } else + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS))) + { + security_alert(GR_CREATE_ACL_MSG, "denied", + gr_to_filename(dentry, p_mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : reqmode & + GR_APPEND ? " appending" : "", DEFAULTSECARGS); + return 0; + } else if (unlikely((mode & reqmode) != reqmode)) + return 0; + + return reqmode; +} + +__u32 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt, + const int fmode) +{ + __u32 mode, reqmode = GR_FIND; + + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode)) + reqmode |= GR_EXEC; + if (fmode & S_IWOTH) + reqmode |= GR_WRITE; + if (fmode & S_IROTH) + reqmode |= GR_READ; + + mode = + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, + mnt); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_ACCESS_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : "", + reqmode & GR_EXEC ? " executing" : "", + DEFAULTSECARGS); + return reqmode; + } else + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS))) + { + security_alert(GR_ACCESS_ACL_MSG, "denied", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : "", + reqmode & GR_EXEC ? " executing" : "", + DEFAULTSECARGS); + return 0; + } else if (unlikely((mode & reqmode) != reqmode)) + return 0; + + return reqmode; +} + +#define generic_fs_handler(dentry, mnt, reqmode, fmt) \ +{ \ + __u32 mode; \ + \ + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt); \ + \ + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \ + security_audit(fmt, "successful", \ + gr_to_filename(dentry, mnt), DEFAULTSECARGS); \ + return mode; \ + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \ + security_alert(fmt, "denied", gr_to_filename(dentry, mnt), \ + DEFAULTSECARGS); \ + return 0; \ + } else if (unlikely((mode & (reqmode)) != (reqmode))) \ + return 0; \ + \ + return (reqmode); \ +} + +__u32 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG); +} + +__u32 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG); +} + +__u32 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG); +} + +__u32 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG); +} + +__u32 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt, + mode_t mode) +{ + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) { + generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID, + GR_FCHMOD_ACL_MSG); + } else { + generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG); + } +} + +__u32 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt, + mode_t mode) +{ + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) { + generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID, + GR_CHMOD_ACL_MSG); + } else { + generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG); + } +} + +__u32 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG); +} + +__u32 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG); +} + +__u32 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE, + GR_UNIXCONNECT_ACL_MSG); +} + +__u32 +gr_acl_handle_filldir(const struct dentry *dentry, const struct vfsmount *mnt, + const ino_t ino) +{ + if (likely((unsigned long)(dentry->d_inode))) { + struct dentry d = *dentry; + struct inode inode = *(dentry->d_inode); + + inode.i_ino = ino; + d.d_inode = &inode; + + if (unlikely(!gr_search_file(&d, GR_FIND | GR_NOLEARN, mnt))) + return 0; + } + + return 1; +} + +__u32 +gr_acl_handle_link(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, + const struct dentry * old_dentry, + const struct vfsmount * old_mnt, const char *to) +{ + __u32 needmode = GR_WRITE | GR_CREATE; + __u32 mode; + + mode = + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry, + old_mnt); + + if (unlikely(((mode & needmode) == needmode) && mode & GR_AUDITS)) { + security_audit(GR_LINK_ACL_MSG, "successful", + gr_to_filename(old_dentry, old_mnt), to, + DEFAULTSECARGS); + return mode; + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) { + security_alert(GR_LINK_ACL_MSG, "denied", + gr_to_filename(old_dentry, old_mnt), to, + DEFAULTSECARGS); + return 0; + } else if (unlikely((mode & needmode) != needmode)) + return 0; + + return (GR_WRITE | GR_CREATE); +} + +__u32 +gr_acl_handle_symlink(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, const char *from) +{ + __u32 needmode = GR_WRITE | GR_CREATE; + __u32 mode; + + mode = + gr_check_create(new_dentry, parent_dentry, parent_mnt, + GR_CREATE | GR_AUDIT_CREATE | + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS); + + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) { + security_audit(GR_SYMLINK_ACL_MSG, "successful", + from, gr_to_filename(new_dentry, parent_mnt), + DEFAULTSECARGS); + return mode; + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) { + security_alert(GR_SYMLINK_ACL_MSG, "denied", + from, gr_to_filename(new_dentry, parent_mnt), + DEFAULTSECARGS); + return 0; + } else if (unlikely((mode & needmode) != needmode)) + return 0; + + return (GR_WRITE | GR_CREATE); +} + +#define generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, reqmode, fmt) \ +{ \ + __u32 mode; \ + \ + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS); \ + \ + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \ + security_audit(fmt, "successful", \ + gr_to_filename(new_dentry, parent_mnt), \ + DEFAULTSECARGS); \ + return mode; \ + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \ + security_alert(fmt, "denied", \ + gr_to_filename(new_dentry, parent_mnt), \ + DEFAULTSECARGS); \ + return 0; \ + } else if (unlikely((mode & (reqmode)) != (reqmode))) \ + return 0; \ + \ + return (reqmode); \ +} + +__u32 +gr_acl_handle_mknod(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, + const int mode) +{ + __u32 reqmode = GR_WRITE | GR_CREATE; + if (unlikely(mode & (S_ISUID | S_ISGID))) + reqmode |= GR_SETID; + + generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, + reqmode, GR_MKNOD_ACL_MSG); +} + +__u32 +gr_acl_handle_mkdir(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt) +{ + generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG); +} + +#define RENAME_CHECK_SUCCESS(old, new) \ + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \ + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ))) + +int +gr_acl_handle_rename(struct dentry *new_dentry, + struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + struct dentry *old_dentry, + struct inode *old_parent_inode, + struct vfsmount *old_mnt, const char *newname) +{ + __u32 comp1, comp2; + int error = 0; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + if (!new_dentry->d_inode) { + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt, + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ | + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS); + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE | + GR_DELETE | GR_AUDIT_DELETE | + GR_AUDIT_READ | GR_AUDIT_WRITE | + GR_SUPPRESS, old_mnt); + } else { + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE | + GR_CREATE | GR_DELETE | + GR_AUDIT_CREATE | GR_AUDIT_DELETE | + GR_AUDIT_READ | GR_AUDIT_WRITE | + GR_SUPPRESS, parent_mnt); + comp2 = + gr_search_file(old_dentry, + GR_READ | GR_WRITE | GR_AUDIT_READ | + GR_DELETE | GR_AUDIT_DELETE | + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt); + } + + if (RENAME_CHECK_SUCCESS(comp1, comp2) && + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS))) + security_audit(GR_RENAME_ACL_MSG, "successful", + gr_to_filename(old_dentry, old_mnt), + newname, DEFAULTSECARGS); + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS) + && !(comp2 & GR_SUPPRESS)) { + security_alert(GR_RENAME_ACL_MSG, "denied", + gr_to_filename(old_dentry, old_mnt), newname, + DEFAULTSECARGS); + error = -EACCES; + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2))) + error = -EACCES; + + return error; +} + +void +gr_acl_handle_exit(void) +{ + u16 id; + char *rolename; + + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) { + id = current->acl_role_id; + rolename = current->role->rolename; + gr_set_acls(1); + security_alert_good(GR_SPROLEL_ACL_MSG, + rolename, id, DEFAULTSECARGS); + } + + if (current->exec_file) { + fput(current->exec_file); + current->exec_file = NULL; + } +} + +int +gr_acl_handle_procpidmem(const struct task_struct *task) +{ + if (unlikely(!gr_acl_is_enabled())) + return 0; + + if (task->acl->mode & GR_PROTPROCFD) + return -EACCES; + + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_ip.c linux-2.6.7-rc1/grsecurity/gracl_ip.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_ip.c 2004-05-25 14:33:58.916403672 +0200 @@ -0,0 +1,236 @@ +/* + * grsecurity/gracl_ip.c + * Copyright Brad Spengler 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define GR_BIND 0x01 +#define GR_CONNECT 0x02 + +static const char * gr_protocols[256] = { + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt", + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet", + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1", + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp", + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++", + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre", + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile", + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63", + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv", + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak", + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf", + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp", + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim", + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip", + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp", + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup", + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135", + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143", + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151", + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159", + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167", + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175", + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183", + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191", + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199", + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207", + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215", + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223", + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231", + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239", + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247", + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255", + }; + +static const char * gr_socktypes[11] = { + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6", + "unknown:7", "unknown:8", "unknown:9", "packet" + }; + +__inline__ const char * +gr_proto_to_name(unsigned char proto) +{ + return gr_protocols[proto]; +} + +__inline__ const char * +gr_socktype_to_name(unsigned char type) +{ + return gr_socktypes[type]; +} + +int +gr_search_socket(const int domain, const int type, const int protocol) +{ + struct acl_subject_label *curr; + + if (unlikely(!gr_acl_is_enabled())) + goto exit; + + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET) + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255)) + goto exit; // let the kernel handle it + + curr = current->acl; + + if (!curr->ips) + goto exit; + + if ((curr->ip_type & (1 << type)) && + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32)))) + goto exit; + + if (curr->mode & GR_LEARN) { + /* we don't place acls on raw sockets , and sometimes + dgram/ip sockets are opened for ioctl and not + bind/connect, so we'll fake a bind learn log */ + if (type == SOCK_RAW || type == SOCK_PACKET) { + __u32 fakeip = 0; + security_learn(GR_IP_LEARN_MSG, current->role->rolename, + current->role->roletype, current->uid, + current->gid, current->exec_file ? + gr_to_filename(current->exec_file->f_dentry, + current->exec_file->f_vfsmnt) : + curr->filename, curr->filename, + NIPQUAD(fakeip), 0, type, + protocol, GR_CONNECT, NIPQUAD(current->curr_ip)); + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) { + __u32 fakeip = 0; + security_learn(GR_IP_LEARN_MSG, current->role->rolename, + current->role->roletype, current->uid, + current->gid, current->exec_file ? + gr_to_filename(current->exec_file->f_dentry, + current->exec_file->f_vfsmnt) : + curr->filename, curr->filename, + NIPQUAD(fakeip), 0, type, + protocol, GR_BIND, NIPQUAD(current->curr_ip)); + } + /* we'll log when they use connect or bind */ + goto exit; + } + + security_alert(GR_SOCK_MSG, "inet", gr_socktype_to_name(type), + gr_proto_to_name(protocol), DEFAULTSECARGS); + + return 0; + exit: + return 1; +} + +static __inline__ int +gr_search_connectbind(const int mode, const struct sock *sk, + const struct sockaddr_in *addr, const int type) +{ + struct acl_subject_label *curr; + struct acl_ip_label *ip; + unsigned long i; + __u32 ip_addr = 0; + __u16 ip_port = 0; + + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET)) + return 1; + + curr = current->acl; + + if (!curr->ips) + return 1; + + ip_addr = addr->sin_addr.s_addr; + ip_port = ntohs(addr->sin_port); + + for (i = 0; i < curr->ip_num; i++) { + ip = *(curr->ips + i); + if ((ip->mode & mode) && + (ip_port >= ip->low) && + (ip_port <= ip->high) && + ((ntohl(ip_addr) & ip->netmask) == + (ntohl(ip->addr) & ip->netmask)) + && (ip-> + proto[sk->sk_protocol / 32] & (1 << (sk->sk_protocol % 32))) + && (ip->type & (1 << type))) + return 1; + } + + if (curr->mode & GR_LEARN) { + security_learn(GR_IP_LEARN_MSG, current->role->rolename, + current->role->roletype, current->uid, + current->gid, current->exec_file ? + gr_to_filename(current->exec_file->f_dentry, + current->exec_file->f_vfsmnt) : + curr->filename, curr->filename, + NIPQUAD(ip_addr), ip_port, type, + sk->sk_protocol, mode, NIPQUAD(current->curr_ip)); + return 1; + } + + if (mode == GR_BIND) + security_alert(GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, + gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol), + DEFAULTSECARGS); + else if (mode == GR_CONNECT) + security_alert(GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, + gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol), + DEFAULTSECARGS); + + return 0; +} + +int +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr) +{ + return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type); +} + +int +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr) +{ + return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type); +} + +int +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr) +{ + if (addr) + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM); + else { + struct sockaddr_in sin; + const struct inet_opt *inet = inet_sk(sk); + + sin.sin_addr.s_addr = inet->daddr; + sin.sin_port = inet->dport; + + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM); + } +} + +int +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb) +{ + struct sockaddr_in sin; + + if (unlikely(skb->len < sizeof (struct udphdr))) + return 1; // skip this packet + + sin.sin_addr.s_addr = skb->nh.iph->saddr; + sin.sin_port = skb->h.uh->source; + + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM); +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_learn.c linux-2.6.7-rc1/grsecurity/gracl_learn.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_learn.c 2004-05-25 14:33:58.919403216 +0200 @@ -0,0 +1,204 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +extern ssize_t write_grsec_handler(struct file * file, const char * buf, + size_t count, loff_t *ppos); +extern int gr_acl_is_enabled(void); + +static DECLARE_WAIT_QUEUE_HEAD(learn_wait); +static int gr_learn_attached; + +/* use a 512k buffer */ +#define LEARN_BUFFER_SIZE (512 * 1024) + +static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED; +static DECLARE_MUTEX(gr_learn_user_sem); + +/* we need to maintain two buffers, so that the kernel context of grlearn + uses a semaphore around the userspace copying, and the other kernel contexts + use a spinlock when copying into the buffer, since they cannot sleep +*/ +static char *learn_buffer; +static char *learn_buffer_user; +static int learn_buffer_len; +static int learn_buffer_user_len; + +static ssize_t +read_learn(struct file *file, char * buf, size_t count, loff_t * ppos) +{ + DECLARE_WAITQUEUE(wait, current); + ssize_t retval = 0; + + add_wait_queue(&learn_wait, &wait); + set_current_state(TASK_INTERRUPTIBLE); + do { + down(&gr_learn_user_sem); + spin_lock(&gr_learn_lock); + if (learn_buffer_len) + break; + spin_unlock(&gr_learn_lock); + up(&gr_learn_user_sem); + if (file->f_flags & O_NONBLOCK) { + retval = -EAGAIN; + goto out; + } + if (signal_pending(current)) { + retval = -ERESTARTSYS; + goto out; + } + + schedule(); + } while (1); + + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len); + learn_buffer_user_len = learn_buffer_len; + retval = learn_buffer_len; + learn_buffer_len = 0; + + spin_unlock(&gr_learn_lock); + + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len)) + retval = -EFAULT; + + up(&gr_learn_user_sem); +out: + set_current_state(TASK_RUNNING); + remove_wait_queue(&learn_wait, &wait); + return retval; +} + +static unsigned int +poll_learn(struct file * file, poll_table * wait) +{ + poll_wait(file, &learn_wait, wait); + + if (learn_buffer_len) + return (POLLIN | POLLRDNORM); + + return 0; +} + +void +gr_clear_learn_entries(void) +{ + char *tmp; + + down(&gr_learn_user_sem); + if (learn_buffer != NULL) { + spin_lock(&gr_learn_lock); + tmp = learn_buffer; + learn_buffer = NULL; + spin_unlock(&gr_learn_lock); + vfree(learn_buffer); + } + if (learn_buffer_user != NULL) { + vfree(learn_buffer_user); + learn_buffer_user = NULL; + } + learn_buffer_len = 0; + up(&gr_learn_user_sem); + + return; +} + +void +gr_add_learn_entry(const char *fmt, ...) +{ + va_list args; + unsigned int len; + + if (!gr_learn_attached) + return; + + spin_lock(&gr_learn_lock); + + /* leave a gap at the end so we know when it's "full" but don't have to + compute the exact length of the string we're trying to append + */ + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) { + spin_unlock(&gr_learn_lock); + wake_up_interruptible(&learn_wait); + return; + } + if (learn_buffer == NULL) { + spin_unlock(&gr_learn_lock); + return; + } + + va_start(args, fmt); + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args); + va_end(args); + + learn_buffer_len += len + 1; + + spin_unlock(&gr_learn_lock); + wake_up_interruptible(&learn_wait); + + return; +} + +static int +open_learn(struct inode *inode, struct file *file) +{ + if (file->f_mode & FMODE_READ && gr_learn_attached) + return -EBUSY; + if (file->f_mode & FMODE_READ) { + down(&gr_learn_user_sem); + if (learn_buffer == NULL) + learn_buffer = vmalloc(LEARN_BUFFER_SIZE); + if (learn_buffer_user == NULL) + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE); + if (learn_buffer == NULL) + return -ENOMEM; + if (learn_buffer_user == NULL) + return -ENOMEM; + learn_buffer_len = 0; + learn_buffer_user_len = 0; + gr_learn_attached = 1; + up(&gr_learn_user_sem); + } + return 0; +} + +static int +close_learn(struct inode *inode, struct file *file) +{ + char *tmp; + + if (file->f_mode & FMODE_READ) { + down(&gr_learn_user_sem); + if (learn_buffer != NULL) { + spin_lock(&gr_learn_lock); + tmp = learn_buffer; + learn_buffer = NULL; + spin_unlock(&gr_learn_lock); + vfree(tmp); + } + if (learn_buffer_user != NULL) { + vfree(learn_buffer_user); + learn_buffer_user = NULL; + } + learn_buffer_len = 0; + learn_buffer_user_len = 0; + gr_learn_attached = 0; + up(&gr_learn_user_sem); + } + + return 0; +} + +struct file_operations grsec_fops = { + read: read_learn, + write: write_grsec_handler, + open: open_learn, + release: close_learn, + poll: poll_learn, +}; diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_res.c linux-2.6.7-rc1/grsecurity/gracl_res.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_res.c 2004-05-25 14:33:58.920403064 +0200 @@ -0,0 +1,50 @@ +/* resource handling routines (c) Brad Spengler 2002, 2003 */ + +#include +#include +#include +#include + +static const char *restab_log[11] = { + "RLIMIT_CPU", + "RLIMIT_FSIZE", + "RLIMIT_DATA", + "RLIMIT_STACK", + "RLIMIT_CORE", + "RLIMIT_RSS", + "RLIMIT_NPROC", + "RLIMIT_NOFILE", + "RLIMIT_MEMLOCK", + "RLIMIT_AS", + "RLIMIT_LOCKS" +}; + +__inline__ void +gr_log_resource(const struct task_struct *task, + const int res, const unsigned long wanted, const int gt) +{ + if (unlikely(res == RLIMIT_NPROC && + (cap_raised(task->cap_effective, CAP_SYS_ADMIN) || + cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))) + return; + + preempt_disable(); + + if (unlikely(((gt && wanted > task->rlim[res].rlim_cur) || + (!gt && wanted >= task->rlim[res].rlim_cur)) && + task->rlim[res].rlim_cur != RLIM_INFINITY)) + security_alert(GR_RESOURCE_MSG, wanted, restab_log[res], + task->rlim[res].rlim_cur, + gr_task_fullpath(task), task->comm, + task->pid, task->uid, task->euid, + task->gid, task->egid, + gr_parent_task_fullpath(task), + task->parent->comm, + task->parent->pid, task->parent->uid, + task->parent->euid, task->parent->gid, + task->parent->egid); + + preempt_enable_no_resched(); + + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_segv.c linux-2.6.7-rc1/grsecurity/gracl_segv.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_segv.c 2004-05-25 14:33:58.922402760 +0200 @@ -0,0 +1,330 @@ +/* + * grsecurity/gracl_segv.c + * Copyright Brad Spengler 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static struct crash_uid *uid_set; +static unsigned short uid_used; +static rwlock_t gr_uid_lock = RW_LOCK_UNLOCKED; +extern rwlock_t gr_inode_lock; +extern struct acl_subject_label * + lookup_acl_subj_label(const ino_t inode, const dev_t dev, + struct acl_role_label *role); +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t); + +int +gr_init_uidset(void) +{ + uid_set = + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL); + uid_used = 0; + + return uid_set ? 1 : 0; +} + +void +gr_free_uidset(void) +{ + if (uid_set) + kfree(uid_set); + + return; +} + +int +gr_find_uid(const uid_t uid) +{ + struct crash_uid *tmp = uid_set; + uid_t buid; + int low = 0, high = uid_used - 1, mid; + + while (high >= low) { + mid = (low + high) >> 1; + buid = tmp[mid].uid; + if (buid == uid) + return mid; + if (buid > uid) + high = mid - 1; + if (buid < uid) + low = mid + 1; + } + + return -1; +} + +static __inline__ void +gr_insertsort(void) +{ + unsigned short i, j; + struct crash_uid index; + + for (i = 1; i < uid_used; i++) { + index = uid_set[i]; + j = i; + while ((j > 0) && uid_set[j - 1].uid > index.uid) { + uid_set[j] = uid_set[j - 1]; + j--; + } + uid_set[j] = index; + } + + return; +} + +static __inline__ void +gr_insert_uid(const uid_t uid, const unsigned long expires) +{ + int loc; + + if (uid_used == GR_UIDTABLE_MAX) + return; + + loc = gr_find_uid(uid); + + if (loc >= 0) { + uid_set[loc].expires = expires; + return; + } + + uid_set[uid_used].uid = uid; + uid_set[uid_used].expires = expires; + uid_used++; + + gr_insertsort(); + + return; +} + +void +gr_remove_uid(const unsigned short loc) +{ + unsigned short i; + + for (i = loc + 1; i < uid_used; i++) + uid_set[i - i] = uid_set[i]; + + uid_used--; + + return; +} + +int +gr_check_crash_uid(const uid_t uid) +{ + int loc; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + read_lock(&gr_uid_lock); + loc = gr_find_uid(uid); + read_unlock(&gr_uid_lock); + + if (loc < 0) + return 0; + + write_lock(&gr_uid_lock); + if (time_before_eq(uid_set[loc].expires, get_seconds())) + gr_remove_uid(loc); + else { + write_unlock(&gr_uid_lock); + return 1; + } + + write_unlock(&gr_uid_lock); + return 0; +} + +static __inline__ int +proc_is_setxid(const struct task_struct *task) +{ + if (task->uid != task->euid || task->uid != task->suid || + task->uid != task->fsuid) + return 1; + if (task->gid != task->egid || task->gid != task->sgid || + task->gid != task->fsgid) + return 1; + + return 0; +} +static __inline__ int +gr_fake_force_sig(int sig, struct task_struct *t) +{ + unsigned long int flags; + int ret; + + spin_lock_irqsave(&t->sighand->siglock, flags); + if (sigismember(&t->blocked, sig) || t->sighand->action[sig-1].sa.sa_handler == SIG_IGN) { + t->sighand->action[sig-1].sa.sa_handler = SIG_DFL; + sigdelset(&t->blocked, sig); + recalc_sigpending_tsk(t); + } + ret = specific_send_sig_info(sig, (void*)1L, t); + spin_unlock_irqrestore(&t->sighand->siglock, flags); + + return ret; +} + +void +gr_handle_crash(struct task_struct *task, const int sig) +{ + struct acl_subject_label *curr; + struct acl_subject_label *curr2; + struct task_struct *tsk, *tsk2; + + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL) + return; + + if (unlikely(!gr_acl_is_enabled())) + return; + + curr = task->acl; + + if (!(curr->resmask & (1 << GR_CRASH_RES))) + return; + + if (time_before_eq(curr->expires, get_seconds())) { + curr->expires = 0; + curr->crashes = 0; + } + + curr->crashes++; + + if (!curr->expires) + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max; + + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) && + time_after(curr->expires, get_seconds())) { + if (task->uid && proc_is_setxid(task)) { + security_alert(GR_SEGVSTART_ACL_MSG, + gr_task_fullpath(task), task->comm, + task->pid, task->uid, task->euid, + task->gid, task->egid, + gr_parent_task_fullpath(task), + task->parent->comm, task->parent->pid, + task->parent->uid, task->parent->euid, + task->parent->gid, task->parent->egid, + task->uid, + curr->res[GR_CRASH_RES].rlim_max); + write_lock(&gr_uid_lock); + gr_insert_uid(task->uid, curr->expires); + write_unlock(&gr_uid_lock); + curr->expires = 0; + curr->crashes = 0; + read_lock(&tasklist_lock); + for_each_process(tsk) { + tsk2 = tsk; + do { + if (tsk2 != task && tsk2->uid == task->uid) + gr_fake_force_sig(SIGKILL, tsk2); + } while ((tsk2 = next_thread(tsk2)) != tsk); + } + read_unlock(&tasklist_lock); + } else { + security_alert(GR_SEGVNOSUID_ACL_MSG, + gr_task_fullpath(task), task->comm, + task->pid, task->uid, task->euid, + task->gid, task->egid, + gr_parent_task_fullpath(task), + task->parent->comm, task->parent->pid, + task->parent->uid, task->parent->euid, + task->parent->gid, task->parent->egid, + curr->res[GR_CRASH_RES].rlim_max); + read_lock(&tasklist_lock); + for_each_process(tsk) { + tsk2 = tsk; + do { + if (likely(tsk2 != task)) { + curr2 = tsk2->acl; + + if (curr2->device == curr->device && + curr2->inode == curr->inode) + gr_fake_force_sig(SIGKILL, tsk2); + } + } while ((tsk2 = next_thread(tsk2)) != tsk); + } + read_unlock(&tasklist_lock); + } + } + + return; +} + +int +gr_check_crash_exec(const struct file *filp) +{ + struct acl_subject_label *curr; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + read_lock(&gr_inode_lock); + curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino, + filp->f_dentry->d_inode->i_sb->s_dev, + current->role); + read_unlock(&gr_inode_lock); + + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) || + (!curr->crashes && !curr->expires)) + return 0; + + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) && + time_after(curr->expires, get_seconds())) + return 1; + else if (time_before_eq(curr->expires, get_seconds())) { + curr->crashes = 0; + curr->expires = 0; + } + + return 0; +} + +void +gr_handle_alertkill(void) +{ + struct acl_subject_label *curracl; + __u32 curr_ip; + struct task_struct *task, *task2; + + if (unlikely(!gr_acl_is_enabled())) + return; + + curracl = current->acl; + curr_ip = current->curr_ip; + + if ((curracl->mode & GR_KILLIPPROC) && curr_ip && + (curr_ip != 0xffffffff)) { + read_lock(&tasklist_lock); + for_each_process(task) { + task2 = task; + do { + if (task2->curr_ip == curr_ip) + gr_fake_force_sig(SIGKILL, task2); + } while ((task2 = next_thread(task2)) != task); + } + read_unlock(&tasklist_lock); + } else if (curracl->mode & GR_KILLPROC) + gr_fake_force_sig(SIGKILL, current); + + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/gracl_shm.c linux-2.6.7-rc1/grsecurity/gracl_shm.c --- linux-2.6.7-rc1.orig/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/gracl_shm.c 2004-05-25 14:33:58.924402456 +0200 @@ -0,0 +1,36 @@ +/* shared memory handling routines, (c) Brad Spengler 2002, 2003 */ + +#include +#include +#include +#include +#include +#include +#include +#include + +int +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, const int shmid) +{ + struct task_struct *task; + + if (!gr_acl_is_enabled()) + return 1; + + task = find_task_by_pid(shm_cprid); + + if (unlikely(!task)) + task = find_task_by_pid(shm_lapid); + + if (unlikely(task && ((task->start_time < shm_createtime) || + (task->pid == shm_lapid)) && + (task->acl->mode & GR_PROTSHM) && + (task->acl != current->acl))) { + security_alert(GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid, + DEFAULTSECARGS); + return 0; + } + + return 1; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_chdir.c linux-2.6.7-rc1/grsecurity/grsec_chdir.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_chdir.c 2004-05-25 14:33:58.925402304 +0200 @@ -0,0 +1,20 @@ +#include +#include +#include +#include +#include +#include + +void +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + if ((grsec_enable_chdir && grsec_enable_group && + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir && + !grsec_enable_group)) { + security_audit(GR_CHDIR_AUDIT_MSG, gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + } +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_chroot.c linux-2.6.7-rc1/grsecurity/grsec_chroot.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_chroot.c 2004-05-25 14:33:58.928401848 +0200 @@ -0,0 +1,348 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +int +gr_handle_chroot_unix(const pid_t pid) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + struct pid *spid = NULL; + + if (unlikely(!grsec_enable_chroot_unix)) + return 1; + + if (likely(!proc_is_chrooted(current))) + return 1; + + read_lock(&tasklist_lock); + + spid = find_pid(PIDTYPE_PID, pid); + if (spid) { + struct task_struct *p; + p = pid_task(spid->task_list.next, PIDTYPE_PID); + if (unlikely(!have_same_root(current, p))) { + read_unlock(&tasklist_lock); + security_alert(GR_UNIX_CHROOT_MSG, DEFAULTSECARGS); + return 0; + } + } + read_unlock(&tasklist_lock); +#endif + return 1; +} + +int +gr_handle_chroot_nice(void) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) { + security_alert(GR_NICE_CHROOT_MSG, DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if (grsec_enable_chroot_nice && (!have_same_root(p, current) + || (have_same_root(p, current) + && (niceval < task_nice(p)) + && proc_is_chrooted(current)))) { + security_alert(GR_PRIORITY_CHROOT_MSG, p->comm, p->pid, + DEFAULTSECARGS); + return -ESRCH; + } +#endif + return 0; +} + +int +gr_handle_chroot_capset(const struct task_struct *target) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && + !have_same_root(current, target)) { + security_alert(GR_CAPSET_CHROOT_MSG, target->comm, target->pid, + DEFAULTSECARGS); + return 1; + } +#endif + return 0; +} + +int +gr_handle_chroot_rawio(const struct inode *inode) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO)) + return 1; +#endif + return 0; +} + +int +gr_pid_is_chrooted(const struct task_struct *p) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK + if (!grsec_enable_chroot_findtask || (current->pid <= 1)) + return 0; + + if (p && p->fs && p->fs->root && p->fs->root->d_inode && + child_reaper && child_reaper->fs && child_reaper->fs->root && + child_reaper->fs->root->d_inode && current && current->fs && + current->fs->root && current->fs->root->d_inode) { + if (proc_is_chrooted(current) && !have_same_root(current, p)) + return 1; + } +#endif + return 0; +} + +EXPORT_SYMBOL(gr_pid_is_chrooted); + +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR) +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt) +{ + struct dentry *dentry = (struct dentry *)u_dentry; + struct vfsmount *mnt = (struct vfsmount *)u_mnt; + struct dentry *realroot; + struct vfsmount *realrootmnt; + struct dentry *currentroot; + struct vfsmount *currentmnt; + + read_lock(&child_reaper->fs->lock); + realrootmnt = mntget(child_reaper->fs->rootmnt); + realroot = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + + read_lock(¤t->fs->lock); + currentmnt = mntget(current->fs->rootmnt); + currentroot = dget(current->fs->root); + read_unlock(¤t->fs->lock); + + spin_lock(&dcache_lock); + for (;;) { + if (unlikely((dentry == realroot && mnt == realrootmnt) + || (dentry == currentroot && mnt == currentmnt))) + break; + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) { + if (mnt->mnt_parent == mnt) + break; + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + dentry = dentry->d_parent; + } + spin_unlock(&dcache_lock); + + dput(currentroot); + mntput(currentmnt); + + if (dentry == realroot && mnt == realrootmnt) { + /* access is outside of chroot */ + dput(realroot); + mntput(realrootmnt); + return 0; + } + + dput(realroot); + mntput(realrootmnt); + return 1; +} +#endif + +int +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR + if (!grsec_enable_chroot_fchdir) + return 1; + + if (!proc_is_chrooted(current)) + return 1; + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) { + security_alert(GR_CHROOT_FCHDIR_MSG, + gr_to_filename(u_dentry, u_mnt), + DEFAULTSECARGS); + return 0; + } +#endif + return 1; +} + +int +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT + struct pid *pid = NULL; + u64 starttime64; + time_t starttime; + + if (unlikely(!grsec_enable_chroot_shmat)) + return 1; + + if (likely(!proc_is_chrooted(current))) + return 1; + + read_lock(&tasklist_lock); + + pid = find_pid(PIDTYPE_PID, shm_cprid); + if (pid) { + struct task_struct *p; + p = pid_task(pid->task_list.next, PIDTYPE_PID); + starttime64 = p->start_time; + do_div(starttime64, HZ); + starttime = (time_t) starttime64; + if (unlikely(!have_same_root(current, p) && + time_before((unsigned long)starttime, (unsigned long)shm_createtime))) { + read_unlock(&tasklist_lock); + security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS); + return 0; + } + } else { + pid = find_pid(PIDTYPE_PID, shm_lapid); + if (pid) { + struct task_struct *p; + p = pid_task(pid->task_list.next, PIDTYPE_PID); + if (unlikely(!have_same_root(current, p))) { + read_unlock(&tasklist_lock); + security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS); + return 0; + } + } + } + + read_unlock(&tasklist_lock); +#endif + return 1; +} + +void +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + if (grsec_enable_chroot_execlog && proc_is_chrooted(current)) + security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt), + DEFAULTSECARGS); +#endif + return; +} + +int +gr_handle_chroot_mknod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) && + proc_is_chrooted(current)) { + security_alert(GR_MKNOD_CHROOT_MSG, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int +gr_handle_chroot_mount(const struct dentry *dentry, + const struct vfsmount *mnt, const char *dev_name) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) { + security_alert(GR_MOUNT_CHROOT_MSG, dev_name, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int +gr_handle_chroot_pivot(void) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) { + security_alert(GR_PIVOT_CHROOT_MSG, DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + if (grsec_enable_chroot_double && proc_is_chrooted(current) && + !gr_is_outside_chroot(dentry, mnt)) { + security_alert(GR_CHROOT_CHROOT_MSG, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +void +gr_handle_chroot_caps(struct task_struct *task) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) { + task->cap_permitted = + cap_drop(task->cap_permitted, GR_CHROOT_CAPS); + task->cap_inheritable = + cap_drop(task->cap_inheritable, GR_CHROOT_CAPS); + task->cap_effective = + cap_drop(task->cap_effective, GR_CHROOT_CAPS); + } +#endif + return; +} + +int +gr_handle_chroot_sysctl(const int op) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current) + && (op & 002)) + return -EACCES; +#endif + return 0; +} + +void +gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + if (grsec_enable_chroot_chdir) + set_fs_pwd(current->fs, mnt, dentry); +#endif + return; +} + +int +gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + if (grsec_enable_chroot_chmod && + ((mode & S_ISUID) || (mode & S_ISGID)) && + proc_is_chrooted(current)) { + security_alert(GR_CHMOD_CHROOT_MSG, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_disabled.c linux-2.6.7-rc1/grsecurity/grsec_disabled.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_disabled.c 2004-05-25 14:33:58.931401392 +0200 @@ -0,0 +1,392 @@ +/* + * when grsecurity is disabled, compile all external functions into nothing + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef CONFIG_SYSCTL +__inline__ __u32 +gr_handle_sysctl(const struct ctl_table * table, __u32 mode) +{ + return mode; +} +#endif + +__inline__ int +gr_acl_is_enabled(void) +{ + return 0; +} + +__inline__ int +gr_handle_rawio(const struct inode *inode) +{ + return 0; +} + +__inline__ void +gr_acl_handle_psacct(struct task_struct *task, const long code) +{ + return; +} + +__inline__ int +gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 0; +} + +__inline__ int +gr_handle_mmap(const struct file *filp, const unsigned long prot) +{ + return 0; +} + +__inline__ int +gr_handle_ptrace(struct task_struct *task, const long request) +{ + return 0; +} + +__inline__ int +gr_handle_proc_ptrace(struct task_struct *task) +{ + return 0; +} + +__inline__ void +gr_learn_resource(const struct task_struct *task, + const int res, const unsigned long wanted, const int gt) +{ + return; +} + +__inline__ int +gr_set_acls(const int type) +{ + return 0; +} + +__inline__ int +gr_check_hidden_task(const struct task_struct *tsk) +{ + return 0; +} + +__inline__ int +gr_check_protected_task(const struct task_struct *task) +{ + return 0; +} + +__inline__ void +gr_copy_label(struct task_struct *tsk) +{ + return; +} + +__inline__ void +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return; +} + +__inline__ void +gr_handle_delete(const ino_t ino, const dev_t dev) +{ + return; +} + +__inline__ void +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return; +} + +__inline__ void +gr_handle_crash(struct task_struct *task, const int sig) +{ + return; +} + +__inline__ int +gr_check_crash_exec(const struct file *filp) +{ + return 0; +} + +__inline__ int +gr_check_crash_uid(const uid_t uid) +{ + return 0; +} + +__inline__ void +gr_handle_rename(struct inode *old_dir, struct inode *new_dir, + struct dentry *old_dentry, + struct dentry *new_dentry, + struct vfsmount *mnt, const __u8 replace) +{ + return; +} + +__inline__ int +gr_search_socket(const int family, const int type, const int protocol) +{ + return 1; +} + +__inline__ int +gr_search_connectbind(const int mode, const struct socket *sock, + const struct sockaddr_in *addr) +{ + return 1; +} + +__inline__ int +gr_task_is_capable(struct task_struct *task, const int cap) +{ + return 1; +} + +__inline__ int +gr_is_capable_nolog(const int cap) +{ + return 1; +} + +__inline__ void +gr_handle_alertkill(void) +{ + return; +} + +__inline__ __u32 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_hidden_file(const struct dentry * dentry, + const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt, + const int fmode) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ int +gr_acl_handle_mmap(const struct file *file, const unsigned long prot, + unsigned int *vm_flags) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_truncate(const struct dentry * dentry, + const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_access(const struct dentry * dentry, + const struct vfsmount * mnt, const int fmode) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt, + mode_t mode) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt, + mode_t mode) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ void +grsecurity_init(void) +{ + return; +} + +__inline__ __u32 +gr_acl_handle_mknod(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, + const int mode) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_mkdir(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_symlink(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, const char *from) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_link(const struct dentry * new_dentry, + const struct dentry * parent_dentry, + const struct vfsmount * parent_mnt, + const struct dentry * old_dentry, + const struct vfsmount * old_mnt, const char *to) +{ + return 1; +} + +__inline__ int +gr_acl_handle_rename(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct inode *old_parent_inode, + const struct vfsmount *old_mnt, const char *newname) +{ + return 0; +} + +__inline__ __u32 +gr_acl_handle_filldir(const struct dentry * dentry, + const struct vfsmount * mnt, const ino_t ino) +{ + return 1; +} + +__inline__ int +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, const int shmid) +{ + return 1; +} + +__inline__ int +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr) +{ + return 1; +} + +__inline__ int +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt) +{ + return 1; +} + +__inline__ __u32 +gr_acl_handle_creat(const struct dentry * dentry, + const struct dentry * p_dentry, + const struct vfsmount * p_mnt, const int fmode, + const int imode) +{ + return 1; +} + +__inline__ void +gr_acl_handle_exit(void) +{ + return; +} + +__inline__ int +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot) +{ + return 1; +} + +__inline__ void +gr_set_role_label(const uid_t uid, const gid_t gid) +{ + return; +} + +__inline__ int +gr_acl_handle_procpidmem(const struct task_struct *task) +{ + return 0; +} + +__inline__ int +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb) +{ + return 1; +} + +__inline__ int +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr) +{ + return 1; +} + +__inline__ void +gr_set_kernel_label(struct task_struct *task) +{ + return; +} + +EXPORT_SYMBOL(gr_task_is_capable); +EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); + diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_exec.c linux-2.6.7-rc1/grsecurity/grsec_exec.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_exec.c 2004-05-25 14:33:58.932401240 +0200 @@ -0,0 +1,71 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +int +gr_handle_nproc(void) +{ +#ifdef CONFIG_GRKERNSEC_EXECVE + if (grsec_enable_execve && current->user && + (atomic_read(¤t->user->processes) > + current->rlim[RLIMIT_NPROC].rlim_cur) && + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) { + security_alert(GR_NPROC_MSG, DEFAULTSECARGS); + return -EAGAIN; + } +#endif + return 0; +} + +void +gr_handle_exec_args(struct linux_binprm *bprm, char **argv) +{ +#ifdef CONFIG_GRKERNSEC_EXECLOG + char grarg[64] = { 0 }; + __u8 execlen = 0; + unsigned int i; + + if (!((grsec_enable_execlog && grsec_enable_group && + in_group_p(grsec_audit_gid)) + || (grsec_enable_execlog && !grsec_enable_group))) + return; + + if (unlikely(!argv)) + goto log; + + for (i = 0; i < bprm->argc && execlen < 62; i++) { + char *p; + __u8 len; + + if (get_user(p, argv + i)) + goto log; + if (!p) + goto log; + len = strnlen_user(p, 62 - execlen); + if (len > 62 - execlen) + len = 62 - execlen; + else if (len > 0) + len--; + if (copy_from_user(grarg + execlen, p, len)) + goto log; + execlen += len; + *(grarg + execlen) = ' '; + *(grarg + execlen + 1) = '\0'; + execlen++; + } + + log: + security_audit(GR_EXEC_AUDIT_MSG, gr_to_filename(bprm->file->f_dentry, + bprm->file->f_vfsmnt), + grarg, DEFAULTSECARGS); +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_fifo.c linux-2.6.7-rc1/grsecurity/grsec_fifo.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_fifo.c 2004-05-25 14:33:58.934400936 +0200 @@ -0,0 +1,24 @@ +#include +#include +#include +#include +#include + +int +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, + const struct dentry *dir, const int flag, const int acc_mode) +{ +#ifdef CONFIG_GRKERNSEC_FIFO + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && + (current->fsuid != dentry->d_inode->i_uid)) { + if (!vfs_permission(dentry->d_inode, acc_mode)) + security_alert(GR_FIFO_MSG, gr_to_filename(dentry, mnt), + dentry->d_inode->i_uid, + dentry->d_inode->i_gid, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_fork.c linux-2.6.7-rc1/grsecurity/grsec_fork.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_fork.c 2004-05-25 14:33:58.935400784 +0200 @@ -0,0 +1,14 @@ +#include +#include +#include +#include + +void +gr_log_forkfail(const int retval) +{ +#ifdef CONFIG_GRKERNSEC_FORKFAIL + if (grsec_enable_forkfail) + security_alert(GR_FAILFORK_MSG, retval, DEFAULTSECARGS); +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_init.c linux-2.6.7-rc1/grsecurity/grsec_init.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_init.c 2004-05-25 14:33:58.938400328 +0200 @@ -0,0 +1,223 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +int grsec_enable_link; +int grsec_enable_dmesg; +int grsec_enable_fifo; +int grsec_enable_execve; +int grsec_enable_execlog; +int grsec_enable_signal; +int grsec_enable_forkfail; +int grsec_enable_time; +int grsec_enable_group; +int grsec_audit_gid; +int grsec_enable_chdir; +int grsec_enable_audit_ipc; +int grsec_enable_mount; +int grsec_enable_chroot_findtask; +int grsec_enable_chroot_mount; +int grsec_enable_chroot_shmat; +int grsec_enable_chroot_fchdir; +int grsec_enable_chroot_double; +int grsec_enable_chroot_pivot; +int grsec_enable_chroot_chdir; +int grsec_enable_chroot_chmod; +int grsec_enable_chroot_mknod; +int grsec_enable_chroot_nice; +int grsec_enable_chroot_execlog; +int grsec_enable_chroot_caps; +int grsec_enable_chroot_sysctl; +int grsec_enable_chroot_unix; +int grsec_enable_tpe; +int grsec_tpe_gid; +int grsec_enable_tpe_all; +int grsec_enable_randpid; +int grsec_enable_randid; +int grsec_enable_randisn; +int grsec_enable_randsrc; +int grsec_enable_randrpc; +int grsec_enable_socket_all; +int grsec_socket_all_gid; +int grsec_enable_socket_client; +int grsec_socket_client_gid; +int grsec_enable_socket_server; +int grsec_socket_server_gid; +int grsec_lock; + +spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED; +unsigned long grsec_alert_wtime = 0; +unsigned long grsec_alert_fyet = 0; + +spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED; +unsigned long grsec_alertgood_wtime = 0; +unsigned long grsec_alertgood_fyet = 0; + +spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED; + +char *gr_shared_page[4]; +extern struct gr_arg *gr_usermode; +extern unsigned char *gr_system_salt; +extern unsigned char *gr_system_sum; +extern struct task_struct **gr_conn_table; +extern const unsigned int gr_conn_table_size; + +void +grsecurity_init(void) +{ + int j; + /* create the per-cpu shared pages */ + + preempt_disable(); + for (j = 0; j < 4; j++) { + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(char *)); + if (gr_shared_page[j] == NULL) { + panic("Unable to allocate grsecurity shared page"); + return; + } + } + preempt_enable(); + + /* create hash tables for ip tagging */ + + gr_conn_table = (struct task_struct **) vmalloc(gr_conn_table_size * sizeof(struct task_struct *)); + if (gr_conn_table == NULL) { + panic("Unable to allocate grsecurity IP tagging table"); + return; + } + memset(gr_conn_table, 0, gr_conn_table_size * sizeof(struct task_struct *)); + + /* allocate memory for authentication structure */ + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL); + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL); + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL); + + if (!gr_usermode || !gr_system_salt || !gr_system_sum) { + panic("Unable to allocate grsecurity authentication structure"); + return; + } + +#ifndef CONFIG_GRKERNSEC_SYSCTL + grsec_lock = 1; +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group = 1; + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + grsec_enable_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + grsec_enable_audit_ipc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + grsec_enable_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_LINK + grsec_enable_link = 1; +#endif +#ifdef CONFIG_GRKERNSEC_DMESG + grsec_enable_dmesg = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + grsec_enable_fifo = 1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + grsec_enable_execve = 1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG + grsec_enable_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL + grsec_enable_signal = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL + grsec_enable_forkfail = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TIME + grsec_enable_time = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK + grsec_enable_chroot_findtask = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + grsec_enable_chroot_unix = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + grsec_enable_chroot_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR + grsec_enable_chroot_fchdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT + grsec_enable_chroot_shmat = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + grsec_enable_chroot_double = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT + grsec_enable_chroot_pivot = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + grsec_enable_chroot_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + grsec_enable_chroot_chmod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + grsec_enable_chroot_mknod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + grsec_enable_chroot_nice = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + grsec_enable_chroot_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + grsec_enable_chroot_caps = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + grsec_enable_chroot_sysctl = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE + grsec_enable_tpe = 1; + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID; +#ifdef CONFIG_GRKERNSEC_TPE_ALL + grsec_enable_tpe_all = 1; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID + grsec_enable_randpid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDID + grsec_enable_randid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN + grsec_enable_randisn = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC + grsec_enable_randsrc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC + grsec_enable_randrpc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + grsec_enable_socket_all = 1; + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + grsec_enable_socket_client = 1; + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + grsec_enable_socket_server = 1; + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID; +#endif +#endif + + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_ipc.c linux-2.6.7-rc1/grsecurity/grsec_ipc.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_ipc.c 2004-05-25 14:33:58.939400176 +0200 @@ -0,0 +1,81 @@ +#include +#include +#include +#include +#include +#include + +void +gr_log_msgget(const int ret, const int msgflg) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (ret >= 0) + && (msgflg & IPC_CREAT)) + security_audit(GR_MSGQ_AUDIT_MSG, DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_msgrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_MSGQR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_semget(const int err, const int semflg) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (err >= 0) + && (semflg & IPC_CREAT)) + security_audit(GR_SEM_AUDIT_MSG, DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_semrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_SEMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_shmget(const int err, const int shmflg, const size_t size) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (err >= 0) + && (shmflg & IPC_CREAT)) + security_audit(GR_SHM_AUDIT_MSG, size, DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_shmrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_SHMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS); +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_link.c linux-2.6.7-rc1/grsecurity/grsec_link.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_link.c 2004-05-25 14:33:58.941399872 +0200 @@ -0,0 +1,41 @@ +#include +#include +#include +#include +#include + +int +gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && S_ISLNK(inode->i_mode) && + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { + security_alert(GR_SYMLINK_MSG, gr_to_filename(dentry, mnt), + inode->i_uid, inode->i_gid, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int +gr_handle_hardlink(const struct dentry *dentry, + const struct vfsmount *mnt, + struct inode *inode, const int mode, const char *to) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && current->fsuid != inode->i_uid && + (!S_ISREG(mode) || (mode & S_ISUID) || + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || + (vfs_permission(inode, MAY_READ | MAY_WRITE))) && + !capable(CAP_FOWNER) && current->uid) { + security_alert(GR_HARDLINK_MSG, gr_to_filename(dentry, mnt), + inode->i_uid, inode->i_gid, to, DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_mem.c linux-2.6.7-rc1/grsecurity/grsec_mem.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_mem.c 2004-05-25 14:33:58.943399568 +0200 @@ -0,0 +1,54 @@ +#include +#include +#include +#include +#include + +void +gr_handle_ioperm(void) +{ + security_alert(GR_IOPERM_MSG, DEFAULTSECARGS); + return; +} + +void +gr_handle_iopl(void) +{ + security_alert(GR_IOPL_MSG, DEFAULTSECARGS); + return; +} + +void +gr_handle_mem_write(void) +{ + security_alert(GR_MEM_WRITE_MSG, DEFAULTSECARGS); + return; +} + +void +gr_handle_kmem_write(void) +{ + security_alert(GR_KMEM_MSG, DEFAULTSECARGS); + return; +} + +void +gr_handle_open_port(void) +{ + security_alert(GR_PORT_OPEN_MSG, DEFAULTSECARGS); + return; +} + +int +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma) +{ + if (offset < __pa(high_memory) && (vma->vm_flags & VM_WRITE) && + !(offset == 0xf0000 && ((vma->vm_end - vma->vm_start) <= 0x10000)) && + !(offset == 0xa0000 && ((vma->vm_end - vma->vm_start) <= 0x20000))) { + security_alert(GR_MEM_MMAP_MSG, DEFAULTSECARGS); + return -EPERM; + } else if (offset < __pa(high_memory)) + vma->vm_flags &= ~VM_MAYWRITE; + + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_mount.c linux-2.6.7-rc1/grsecurity/grsec_mount.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_mount.c 2004-05-25 14:33:58.944399416 +0200 @@ -0,0 +1,34 @@ +#include +#include +#include +#include + +void +gr_log_remount(const char *devname, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_REMOUNT_AUDIT_MSG, devname ? devname : "none", DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_unmount(const char *devname, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none", DEFAULTSECARGS); +#endif + return; +} + +void +gr_log_mount(const char *from, const char *to, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_MOUNT_AUDIT_MSG, from, to, DEFAULTSECARGS); +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_rand.c linux-2.6.7-rc1/grsecurity/grsec_rand.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_rand.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_rand.c 2004-05-25 14:33:58.946399112 +0200 @@ -0,0 +1,22 @@ +#include +#include +#include +#include +#include + +extern int pid_max; + +int +gr_random_pid(void) +{ +#ifdef CONFIG_GRKERNSEC_RANDPID + int pid; + + if (grsec_enable_randpid && current->fs->root) { + + pid = 1 + (get_random_long() % pid_max); + return pid; + } +#endif + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_sig.c linux-2.6.7-rc1/grsecurity/grsec_sig.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_sig.c 2004-05-25 14:33:58.951398352 +0200 @@ -0,0 +1,48 @@ +#include +#include +#include +#include + +void +gr_log_signal(const int sig, const struct task_struct *t) +{ +#ifdef CONFIG_GRKERNSEC_SIGNAL + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) || + (sig == SIGABRT) || (sig == SIGBUS))) { + if (t->pid == current->pid) { + security_alert_good(GR_UNISIGLOG_MSG, sig, + DEFAULTSECARGS); + } else { + security_alert_good(GR_DUALSIGLOG_MSG, sig, + gr_task_fullpath0(t), t->comm, + t->pid, t->uid, t->euid, t->gid, + t->egid, gr_parent_task_fullpath0(t), + t->parent->comm, + t->parent->pid, t->parent->uid, + t->parent->euid, t->parent->gid, + t->parent->egid, DEFAULTSECARGS); + } + } +#endif + return; +} + +int +gr_handle_signal(const struct task_struct *p, const int sig) +{ +#ifdef CONFIG_GRKERNSEC + if (current->pid > 1 && gr_check_protected_task(p)) { + security_alert(GR_SIG_ACL_MSG, sig, gr_task_fullpath0(p), + p->comm, p->pid, p->uid, + p->euid, p->gid, p->egid, + gr_parent_task_fullpath0(p), p->parent->comm, + p->parent->pid, p->parent->uid, + p->parent->euid, p->parent->gid, + p->parent->egid, DEFAULTSECARGS); + return -EPERM; + } else if (gr_pid_is_chrooted(p)) { + return -EPERM; + } +#endif + return 0; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_sock.c linux-2.6.7-rc1/grsecurity/grsec_sock.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_sock.c 2004-05-25 14:33:58.953398048 +0200 @@ -0,0 +1,256 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE) +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); +EXPORT_SYMBOL(udp_v4_lookup); +#endif +#if defined(CONFIG_GRKERNSEC_RANDID) +EXPORT_SYMBOL(ip_randomid); +#endif +#if defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDRPC) +EXPORT_SYMBOL(get_random_long); +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN +EXPORT_SYMBOL(ip_randomisn); +EXPORT_SYMBOL(grsec_enable_randisn); +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +EXPORT_SYMBOL(grsec_enable_randid); +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +EXPORT_SYMBOL(grsec_enable_randsrc); +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +EXPORT_SYMBOL(grsec_enable_randrpc); +#endif + +EXPORT_SYMBOL(gr_cap_rtnetlink); + +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb); +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr); + +EXPORT_SYMBOL(gr_search_udp_recvmsg); +EXPORT_SYMBOL(gr_search_udp_sendmsg); + +#ifdef CONFIG_UNIX_MODULE +EXPORT_SYMBOL(gr_acl_handle_unix); +EXPORT_SYMBOL(gr_acl_handle_mknod); +EXPORT_SYMBOL(gr_handle_chroot_unix); +EXPORT_SYMBOL(gr_handle_create); +#endif + +#ifdef CONFIG_GRKERNSEC +struct task_struct **gr_conn_table; +const unsigned int gr_conn_table_size = 65521; +struct task_struct *deleted_conn = (struct task_struct *)~0; +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED; + +extern __inline__ const char * gr_socktype_to_name(unsigned char type); +extern __inline__ const char * gr_proto_to_name(unsigned char proto); + +static __inline__ int +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size) +{ + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size); +} + +static __inline__ int +conn_match(const struct task_struct *task, __u32 saddr, __u32 daddr, + __u16 sport, __u16 dport) +{ + if (unlikely(task != deleted_conn && task->gr_saddr == saddr && + task->gr_daddr == daddr && task->gr_sport == sport && + task->gr_dport == dport)) + return 1; + else + return 0; +} + +void gr_add_to_task_ip_table(struct task_struct *task) +{ + unsigned int index; + + if (unlikely(gr_conn_table == NULL)) + return; + + if (!thread_group_leader(task)) + task = task->group_leader; + + index = conn_hash(task->gr_saddr, task->gr_daddr, + task->gr_sport, task->gr_dport, + gr_conn_table_size); + + spin_lock(&gr_conn_table_lock); + + while (gr_conn_table[index] && gr_conn_table[index] != deleted_conn) { + index = (index + 1) % gr_conn_table_size; + } + + gr_conn_table[index] = task; + + spin_unlock(&gr_conn_table_lock); + + return; +} + +void gr_del_task_from_ip_table_nolock(struct task_struct *task) +{ + unsigned int index; + + if (unlikely(gr_conn_table == NULL)) + return; + + if (!thread_group_leader(task)) + task = task->group_leader; + + index = conn_hash(task->gr_saddr, task->gr_daddr, + task->gr_sport, task->gr_dport, + gr_conn_table_size); + + while (gr_conn_table[index] && !conn_match(gr_conn_table[index], + task->gr_saddr, task->gr_daddr, task->gr_sport, + task->gr_dport)) { + index = (index + 1) % gr_conn_table_size; + } + + if (gr_conn_table[index]) { + if (gr_conn_table[(index + 1) % gr_conn_table_size]) + gr_conn_table[index] = deleted_conn; + else + gr_conn_table[index] = NULL; + } + + return; +} + +struct task_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr, + __u16 sport, __u16 dport) +{ + unsigned int index; + + if (unlikely(gr_conn_table == NULL)) + return NULL; + + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size); + + while (gr_conn_table[index] && !conn_match(gr_conn_table[index], + saddr, daddr, sport, dport)) { + index = (index + 1) % gr_conn_table_size; + } + + return gr_conn_table[index]; +} + +#endif + +void gr_del_task_from_ip_table(struct task_struct *task) +{ +#ifdef CONFIG_GRKERNSEC + spin_lock(&gr_conn_table_lock); + if (!thread_group_leader(task)) + gr_del_task_from_ip_table_nolock(task->group_leader); + else + gr_del_task_from_ip_table_nolock(task); + spin_unlock(&gr_conn_table_lock); +#endif + return; +} + +void +gr_attach_curr_ip(const struct sock *sk) +{ +#ifdef CONFIG_GRKERNSEC + struct task_struct *p; + struct task_struct *set; + const struct inet_opt *inet = inet_sk(sk); + + if (unlikely(sk->sk_protocol != IPPROTO_TCP)) + return; + + set = current; + if (!thread_group_leader(set)) + set = set->group_leader; + + spin_lock(&gr_conn_table_lock); + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr, + inet->dport, inet->sport); + if (unlikely(p != NULL)) { + set->curr_ip = p->curr_ip; + set->used_accept = 1; + gr_del_task_from_ip_table_nolock(p); + spin_unlock(&gr_conn_table_lock); + return; + } + spin_unlock(&gr_conn_table_lock); + + set->curr_ip = inet->daddr; + set->used_accept = 1; +#endif + return; +} + +int +gr_handle_sock_all(const int family, const int type, const int protocol) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) && + (family != AF_UNIX) && (family != AF_LOCAL)) { + security_alert(GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol), + DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int +gr_handle_sock_server(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + security_alert(GR_BIND_MSG, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int +gr_handle_sock_client(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + security_alert(GR_CONNECT_MSG, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +__u32 +gr_cap_rtnetlink(void) +{ +#ifdef CONFIG_GRKERNSEC + if (!gr_acl_is_enabled()) + return current->cap_effective; + else + return (current->cap_effective & ~(current->acl->cap_lower)); +#else + return current->cap_effective; +#endif +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_sysctl.c linux-2.6.7-rc1/grsecurity/grsec_sysctl.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_sysctl.c 2004-05-25 14:33:58.956397592 +0200 @@ -0,0 +1,443 @@ +#include +#include +#include +#include +#include + +int +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op) +{ +#ifdef CONFIG_GRKERNSEC_SYSCTL + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) { + security_alert(GR_SYSCTL_MSG, name, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +#ifdef CONFIG_GRKERNSEC_SYSCTL +enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, +GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT, +GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM, +GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, +GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS, +GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDISN, +GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_TTY, GS_TTYS, +GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC, +GS_FINDTASK, GS_LOCK}; + + +ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_LINK + { + .ctl_name = GS_LINK, + .procname = "linking_restrictions", + .data = &grsec_enable_link, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + { + .ctl_name = GS_FIFO, + .procname = "fifo_restrictions", + .data = &grsec_enable_fifo, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + { + .ctl_name = GS_EXECVE, + .procname = "execve_limiting", + .data = &grsec_enable_execve, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG + { + .ctl_name = GS_EXECLOG, + .procname = "exec_logging", + .data = &grsec_enable_execlog, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL + { + .ctl_name = GS_SIGNAL, + .procname = "signal_logging", + .data = &grsec_enable_signal, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL + { + .ctl_name = GS_FORKFAIL, + .procname = "forkfail_logging", + .data = &grsec_enable_forkfail, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_TIME + { + .ctl_name = GS_TIME, + .procname = "timechange_logging", + .data = &grsec_enable_time, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT + { + .ctl_name = GS_CHROOT_SHMAT, + .procname = "chroot_deny_shmat", + .data = &grsec_enable_chroot_shmat, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + { + .ctl_name = GS_CHROOT_UNIX, + .procname = "chroot_deny_unix", + .data = &grsec_enable_chroot_unix, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + { + .ctl_name = GS_CHROOT_MNT, + .procname = "chroot_deny_mount", + .data = &grsec_enable_chroot_mount, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR + { + .ctl_name = GS_CHROOT_FCHDIR, + .procname = "chroot_deny_fchdir", + .data = &grsec_enable_chroot_fchdir, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + { + .ctl_name = GS_CHROOT_DBL, + .procname = "chroot_deny_chroot", + .data = &grsec_enable_chroot_double, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT + { + .ctl_name = GS_CHROOT_PVT, + .procname = "chroot_deny_pivot", + .data = &grsec_enable_chroot_pivot, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + { + .ctl_name = GS_CHROOT_CD, + .procname = "chroot_enforce_chdir", + .data = &grsec_enable_chroot_chdir, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + { + .ctl_name = GS_CHROOT_CM, + .procname = "chroot_deny_chmod", + .data = &grsec_enable_chroot_chmod, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + { + .ctl_name = GS_CHROOT_MK, + .procname = "chroot_deny_mknod", + .data = &grsec_enable_chroot_mknod, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + { + .ctl_name = GS_CHROOT_NI, + .procname = "chroot_restrict_nice", + .data = &grsec_enable_chroot_nice, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + { + .ctl_name = GS_CHROOT_EXECLOG, + .procname = "chroot_execlog", + .data = &grsec_enable_chroot_execlog, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + { + .ctl_name = GS_CHROOT_CAPS, + .procname = "chroot_caps", + .data = &grsec_enable_chroot_caps, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + { + .ctl_name = GS_CHROOT_SYSCTL, + .procname = "chroot_deny_sysctl", + .data = &grsec_enable_chroot_sysctl, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_TPE + { + .ctl_name = GS_TPE, + .procname = "tpe", + .data = &grsec_enable_tpe, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { + .ctl_name = GS_TPE_GID, + .procname = "tpe_gid", + .data = &grsec_tpe_gid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL + { + .ctl_name = GS_TPE_ALL, + .procname = "tpe_restrict_all", + .data = &grsec_enable_tpe_all, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID + { + .ctl_name = GS_RANDPID, + .procname = "rand_pids", + .data = &grsec_enable_randpid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_RANDID + { + .ctl_name = GS_RANDID, + .procname = "rand_ip_ids", + .data = &grsec_enable_randid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC + { + .ctl_name = GS_RANDSRC, + .procname = "rand_tcp_src_ports", + .data = &grsec_enable_randsrc, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN + { + .ctl_name = GS_RANDISN, + .procname = "rand_isns", + .data = &grsec_enable_randisn, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + { + .ctl_name = GS_SOCKET_ALL, + .procname = "socket_all", + .data = &grsec_enable_socket_all, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { + .ctl_name = GS_SOCKET_ALL_GID, + .procname = "socket_all_gid", + .data = &grsec_socket_all_gid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + { + .ctl_name = GS_SOCKET_CLIENT, + .procname = "socket_client", + .data = &grsec_enable_socket_client, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { + .ctl_name = GS_SOCKET_CLIENT_GID, + .procname = "socket_client_gid", + .data = &grsec_socket_client_gid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + { + .ctl_name = GS_SOCKET_SERVER, + .procname = "socket_server", + .data = &grsec_enable_socket_server, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { + .ctl_name = GS_SOCKET_SERVER_GID, + .procname = "socket_server_gid", + .data = &grsec_socket_server_gid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + { + .ctl_name = GS_GROUP, + .procname = "audit_group", + .data = &grsec_enable_group, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { + .ctl_name = GS_GID, + .procname = "audit_gid", + .data = &grsec_audit_gid, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + { + .ctl_name = GS_ACHDIR, + .procname = "audit_chdir", + .data = &grsec_enable_chdir, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + { + .ctl_name = GS_AMOUNT, + .procname = "audit_mount", + .data = &grsec_enable_mount, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + { + .ctl_name = GS_AIPC, + .procname = "audit_ipc", + .data = &grsec_enable_audit_ipc, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_DMESG + { + .ctl_name = GS_DMSG, + .procname = "dmesg", + .data = &grsec_enable_dmesg, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC + { + .ctl_name = GS_RANDRPC, + .procname = "rand_rpc", + .data = &grsec_enable_randrpc, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK + { + .ctl_name = GS_FINDTASK, + .procname = "chroot_findtask", + .data = &grsec_enable_chroot_findtask, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif + { + .ctl_name = GS_LOCK, + .procname = "grsec_lock", + .data = &grsec_lock, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, + { .ctl_name = 0 } +}; +#endif diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_time.c linux-2.6.7-rc1/grsecurity/grsec_time.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_time.c 2004-05-25 14:33:58.958397288 +0200 @@ -0,0 +1,13 @@ +#include +#include +#include + +void +gr_log_timechange(void) +{ +#ifdef CONFIG_GRKERNSEC_TIME + if (grsec_enable_time) + security_alert_good(GR_TIME_MSG, DEFAULTSECARGS); +#endif + return; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsec_tpe.c linux-2.6.7-rc1/grsecurity/grsec_tpe.c --- linux-2.6.7-rc1.orig/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsec_tpe.c 2004-05-25 14:33:58.960396984 +0200 @@ -0,0 +1,35 @@ +#include +#include +#include +#include +#include + +extern int gr_acl_tpe_check(void); + +int +gr_tpe_allow(const struct file *file) +{ +#ifdef CONFIG_GRKERNSEC + struct inode *inode = file->f_dentry->d_parent->d_inode; + + if (current->uid && ((grsec_enable_tpe && in_group_p(grsec_tpe_gid)) || gr_acl_tpe_check()) && + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) || + (inode->i_mode & S_IWOTH))))) { + security_alert(GR_EXEC_TPE_MSG, + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } +#ifdef CONFIG_GRKERNSEC_TPE_ALL + if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all && + ((inode->i_uid && (inode->i_uid != current->uid)) || + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) { + security_alert(GR_EXEC_TPE_MSG, + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } +#endif +#endif + return 1; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/grsum.c linux-2.6.7-rc1/grsecurity/grsum.c --- linux-2.6.7-rc1.orig/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/grsum.c 2004-05-25 14:33:58.961396832 +0200 @@ -0,0 +1,59 @@ +#include +#include +#include +#include +#include +#include + + +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE) +#error "crypto and sha256 must be built into the kernel" +#endif + +int +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum) +{ + char *p; + struct crypto_tfm *tfm; + unsigned char temp_sum[GR_SHA_LEN]; + struct scatterlist sg[2]; + volatile int retval = 0; + volatile int dummy = 0; + unsigned int i; + + tfm = crypto_alloc_tfm("sha256", 0); + if (tfm == NULL) { + /* should never happen, since sha256 should be built in */ + return 1; + } + + crypto_digest_init(tfm); + + p = salt; + sg[0].page = virt_to_page(p); + sg[0].offset = ((long) p & ~PAGE_MASK); + sg[0].length = GR_SALT_LEN; + + crypto_digest_update(tfm, sg, 1); + + p = entry->pw; + sg[0].page = virt_to_page(p); + sg[0].offset = ((long) p & ~PAGE_MASK); + sg[0].length = strlen(entry->pw); + + crypto_digest_update(tfm, sg, 1); + + crypto_digest_final(tfm, temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + + for (i = 0; i < GR_SHA_LEN; i++) + if (sum[i] != temp_sum[i]) + retval = 1; + else + dummy = 1; // waste a cycle + + crypto_free_tfm(tfm); + + return retval; +} diff -uNr linux-2.6.7-rc1.orig/grsecurity/Kconfig linux-2.6.7-rc1/grsecurity/Kconfig --- linux-2.6.7-rc1.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/Kconfig 2004-05-25 14:33:58.846414312 +0200 @@ -0,0 +1,819 @@ +# +# grecurity configuration +# + +menu "Grsecurity" + +config GRKERNSEC + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly + recommended that you say Y here and read through the help + for each option so that you fully understand the features and + can evaluate their usefulness for your machine. + +choice + prompt "Security Level" + depends GRKERNSEC + default GRKERNSEC_CUSTOM + +config GRKERNSEC_LOW + bool "Low" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_RANDPID + select GRKERNSEC_EXECVE + select GRKERNSEC_RANDNET + select GRKERNSEC_RANDISN + select GRKERNSEC_DMESG + select GRKERNSEC_RANDID + select GRKERNSEC_CHROOT_CHDIR + help + If you choose this option, several of the grsecurity options will + be enabled that will give you greater protection against a number + of attacks, while assuring that none of your software will have any + conflicts with the additional security measures. If you run a lot + of unusual software, or you are having problems with the higher + security levels, you should say Y here. With this option, the + following features are enabled: + + - Linking Restrictions + - FIFO Restrictions + - Randomized PIDs + - Enforcing RLIMIT_NPROC on execve + - Restricted dmesg + - Randomized IP IDs + - Enforced chdir("/") on chroot + +config GRKERNSEC_MEDIUM + bool "Medium" + select GRKERNSEC_PROC_MEMMAP + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_RANDPID + select GRKERNSEC_EXECVE + select GRKERNSEC_DMESG + select GRKERNSEC_RANDID + select GRKERNSEC_RANDNET + select GRKERNSEC_RANDISN + select GRKERNSEC_RANDSRC + select GRKERNSEC_RANDRPC + select GRKERNSEC_FORKFAIL + select GRKERNSEC_TIME + select GRKERNSEC_SIGNAL + select GRKERNSEC_CHROOT + select GRKERNSEC_CHROOT_UNIX + select GRKERNSEC_CHROOT_MOUNT + select GRKERNSEC_CHROOT_PIVOT + select GRKERNSEC_CHROOT_DOUBLE + select GRKERNSEC_CHROOT_CHDIR + select GRKERNSEC_CHROOT_MKNOD + select GRKERNSEC_PROC + select GRKERNSEC_PROC_USERGROUP + + help + If you say Y here, several features in addition to those included + in the low additional security level will be enabled. These + features provide even more security to your system, though in rare + cases they may be incompatible with very old or poorly written + software. If you enable this option, make sure that your auth + service (identd) is running as gid 1001. With this option, + the following features (in addition to those provided in the + low additional security level) will be enabled: + + - Randomized TCP Source Ports + - Failed Fork Logging + - Time Change Logging + - Signal Logging + - Deny Mounts in chroot + - Deny Double chrooting + - Deny Sysctl Writes in chroot + - Deny Mknod in chroot + - Deny Access to Abstract AF_UNIX Sockets out of chroot + - Deny pivot_root in chroot + - Denied Writes of /dev/kmem, /dev/mem, and /dev/port + - /proc restrictions with special GID set to 10 (usually wheel) + +config GRKERNSEC_HIGH + bool "High" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_RANDPID + select GRKERNSEC_EXECVE + select GRKERNSEC_DMESG + select GRKERNSEC_RANDID + select GRKERNSEC_RANDSRC + select GRKERNSEC_RANDRPC + select GRKERNSEC_FORKFAIL + select GRKERNSEC_TIME + select GRKERNSEC_SIGNAL + select GRKERNSEC_CHROOT_SHMAT + select GRKERNSEC_CHROOT_UNIX + select GRKERNSEC_CHROOT_MOUNT + select GRKERNSEC_CHROOT_FCHDIR + select GRKERNSEC_CHROOT_PIVOT + select GRKERNSEC_CHROOT_DOUBLE + select GRKERNSEC_CHROOT_CHDIR + select GRKERNSEC_CHROOT_MKNOD + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP + select GRKERNSEC_HIDESYM + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET + select GRKERNSEC_RANDISN + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + help + If you say Y here, many of the features of grsecurity will be + enabled, which will protect you against many kinds of attacks + against your system. The heightened security comes at a cost + of an increased chance of incompatibilities with rare software + on your machine. Also remember that since the /proc restrictions + are enabled, you must run your identd as gid 1001. + This security level enables the following features in addition + to those listed in the low and medium security levels: + + - Additional /proc Restrictions + - Chmod Restrictions in chroot + - No Signals, Ptrace, or Viewing of Processes Outside of chroot + - Capability Restrictions in chroot + - Deny fchdir out of chroot + - Priority Restrictions in chroot + - Mprotect Restrictions + - Removal of Addresses from /proc//[maps|stat] + - Mount/Unmount/Remount Logging + - Kernel Symbol Hiding + +config GRKERNSEC_CUSTOM + bool "Custom" + help + If you say Y here, you will be able to configure every grsecurity + option, which allows you to enable many more features that aren't + covered in the basic security levels. These additional features + include TPE, socket restrictions, and the sysctl system for + grsecurity. It is advised that you read through the help for + each option to determine its usefulness in your situation. + +endchoice + +menu "Address Space Protection" +depends on GRKERNSEC + +config GRKERNSEC_KMEM + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port" + help + If you say Y here, /dev/kmem and /dev/mem won't be allowed to + be written to via mmap or otherwise to modify the running kernel. + /dev/port will also not be allowed to be opened. If you have module + support disabled, enabling this will close up four ways that are + currently used to insert malicious code into the running kernel. + Even with all these features enabled, we still highly recommend that + you use the ACL system, as it is still possible for an attacker to + modify the running kernel through privileged I/O granted by ioperm/iopl. + If you are not using XFree86, you may be able to stop this additional + case by enabling the 'Disable privileged I/O' option. Though nothing + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem, + but only to video memory, which is the only writing we allow in this + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will + not be allowed to mprotect it with PROT_WRITE later. + Enabling this feature could make certain apps like VMWare stop working, + as they need to write to other locations in /dev/mem. + It is highly recommended that you say Y here if you meet all the + conditions above. + +config GRKERNSEC_IO + bool "Disable privileged I/O" + depends on X86 + select RTC + help + If you say Y here, all ioperm and iopl calls will return an error. + Ioperm and iopl can be used to modify the running kernel. + Unfortunately, some programs need this access to operate properly, + the most notable of which are XFree86 and hwclock. hwclock can be + remedied by having RTC support in the kernel, so CONFIG_RTC is + enabled if this option is enabled, to ensure that hwclock operates + correctly. XFree86 still will not operate correctly with this option + enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86 + and you still want to protect your kernel against modification, + use the ACL system. + +config GRKERNSEC_PROC_MEMMAP + bool "Remove addresses from /proc//[maps|stat]" + help + If you say Y here, the /proc//maps and /proc//stat files + will give no information about the addresses of its mappings. + +config GRKERNSEC_HIDESYM + bool "Hide kernel symbols" + help + If you say Y here, getting information on loaded modules, and + displaying all kernel symbols through a syscall will be restricted + to users with CAP_SYS_MODULE. This option is only effective + provided the following conditions are met: + 1) The kernel using grsecurity is not precompiled by some distribution + 2) You are using the ACL system and hiding other files such as your + kernel image and System.map + 3) You have the additional /proc restrictions enabled, which removes + /proc/kcore + If the above conditions are met, this option will aid to provide a + useful protection against local and remote kernel exploitation of + overflows and arbitrary read/write vulnerabilities. + +endmenu +menu "Role Based Access Control Options" +depends on GRKERNSEC + +config GRKERNSEC_ACL_HIDEKERN + bool "Hide kernel processes" + help + If you say Y here, when the RBAC system is enabled via gradm -E, + an additional ACL will be passed to the kernel that hides all kernel + processes. These processes will only be viewable by the authenticated + admin, or processes that have viewing access set. + +config GRKERNSEC_ACL_MAXTRIES + int "Maximum tries before password lockout" + default 3 + help + This option enforces the maximum number of times a user can attempt + to authorize themselves with the grsecurity ACL system before being + denied the ability to attempt authorization again for a specified time. + The lower the number, the harder it will be to brute-force a password. + +config GRKERNSEC_ACL_TIMEOUT + int "Time to wait after max password tries, in seconds" + default 30 + help + This option specifies the time the user must wait after attempting to + authorize to the ACL system with the maximum number of invalid + passwords. The higher the number, the harder it will be to brute-force + a password. + +endmenu +menu "Filesystem Protections" +depends on GRKERNSEC + +config GRKERNSEC_PROC + bool "Proc restrictions" + help + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. Depending + upon the options you choose, you can either restrict users to see + only the processes they themselves run, or choose a group that can + view all processes and files normally restricted to root if you choose + the "restrict to user only" option. NOTE: If you're running identd as + a non-root user, you will have to run it as the group you specify here. + +config GRKERNSEC_PROC_USER + bool "Restrict /proc to user only" + depends on GRKERNSEC_PROC + help + If you say Y here, non-root users will only be able to view their own + processes, and restricts them from viewing network-related information, + and viewing kernel symbol and module information. + +config GRKERNSEC_PROC_USERGROUP + bool "Allow special group" + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER + help + If you say Y here, you will be able to select a group that will be + able to view all processes, network-related information, and + kernel and symbol information. This option is useful if you want + to run identd as a non-root user. + +config GRKERNSEC_PROC_GID + int "GID for special group" + depends on GRKERNSEC_PROC_USERGROUP + default 1001 + +config GRKERNSEC_PROC_ADD + bool "Additional restrictions" + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP + help + If you say Y here, additional restrictions will be placed on + /proc that keep normal users from viewing cpu and device information. + +config GRKERNSEC_LINK + bool "Linking restrictions" + help + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in + world-writable +t directories (i.e. /tmp), unless the owner of the + symlink is the owner of the directory. users will also not be + able to hardlink to files they do not own. If the sysctl option is + enabled, a sysctl option with name "linking_restrictions" is created. + +config GRKERNSEC_FIFO + bool "FIFO restrictions" + help + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writable +t directories (i.e. /tmp), unless the owner of + the FIFO is the same owner of the directory it's held in. If the sysctl + option is enabled, a sysctl option with name "fifo_restrictions" is + created. + +config GRKERNSEC_CHROOT + bool "Chroot jail restrictions" + help + If you say Y here, you will be able to choose several options that will + make breaking out of a chrooted jail much more difficult. If you + encounter no software incompatibilities with the following options, it + is recommended that you enable each one. + +config GRKERNSEC_CHROOT_MOUNT + bool "Deny mounts" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to + mount or remount filesystems. If the sysctl option is enabled, a + sysctl option with name "chroot_deny_mount" is created. + +config GRKERNSEC_CHROOT_DOUBLE + bool "Deny double-chroots" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to chroot + again outside the chroot. This is a widely used method of breaking + out of a chroot jail and should not be allowed. If the sysctl + option is enabled, a sysctl option with name + "chroot_deny_chroot" is created. + +config GRKERNSEC_CHROOT_PIVOT + bool "Deny pivot_root in chroot" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to use + a function called pivot_root() that was introduced in Linux 2.3.41. It + works similar to chroot in that it changes the root filesystem. This + function could be misused in a chrooted process to attempt to break out + of the chroot, and therefore should not be allowed. If the sysctl + option is enabled, a sysctl option with name "chroot_deny_pivot" is + created. + +config GRKERNSEC_CHROOT_CHDIR + bool "Enforce chdir(\"/\") on all chroots" + depends on GRKERNSEC_CHROOT + help + If you say Y here, the current working directory of all newly-chrooted + applications will be set to the the root directory of the chroot. + The man page on chroot(2) states: + Note that this call does not change the current working + directory, so that `.' can be outside the tree rooted at + `/'. In particular, the super-user can escape from a + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. + + It is recommended that you say Y here, since it's not known to break + any software. If the sysctl option is enabled, a sysctl option with + name "chroot_enforce_chdir" is created. + +config GRKERNSEC_CHROOT_CHMOD + bool "Deny (f)chmod +s" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to chmod + or fchmod files to make them have suid or sgid bits. This protects + against another published method of breaking a chroot. If the sysctl + option is enabled, a sysctl option with name "chroot_deny_chmod" is + created. + +config GRKERNSEC_CHROOT_FCHDIR + bool "Deny fchdir out of chroot" + depends on GRKERNSEC_CHROOT + help + If you say Y here, a well-known method of breaking chroots by fchdir'ing + to a file descriptor of the chrooting process that points to a directory + outside the filesystem will be stopped. If the sysctl option + is enabled, a sysctl option with name "chroot_deny_fchdir" is created. + +config GRKERNSEC_CHROOT_MKNOD + bool "Deny mknod" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be allowed to + mknod. The problem with using mknod inside a chroot is that it + would allow an attacker to create a device entry that is the same + as one on the physical root of your system, which could range from + anything from the console device to a device for your harddrive (which + they could then use to wipe the drive or steal data). It is recommended + that you say Y here, unless you run into software incompatibilities. + If the sysctl option is enabled, a sysctl option with name + "chroot_deny_mknod" is created. + +config GRKERNSEC_CHROOT_SHMAT + bool "Deny shmat() out of chroot" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to attach + to shared memory segments that were created outside of the chroot jail. + It is recommended that you say Y here. If the sysctl option is enabled, + a sysctl option with name "chroot_deny_shmat" is created. + +config GRKERNSEC_CHROOT_UNIX + bool "Deny access to abstract AF_UNIX sockets out of chroot" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to + connect to abstract (meaning not belonging to a filesystem) Unix + domain sockets that were bound outside of a chroot. It is recommended + that you say Y here. If the sysctl option is enabled, a sysctl option + with name "chroot_deny_unix" is created. + +config GRKERNSEC_CHROOT_FINDTASK + bool "Protect outside processes" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to + kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, + getsid, or view any process outside of the chroot. If the sysctl + option is enabled, a sysctl option with name "chroot_findtask" is + created. + +config GRKERNSEC_CHROOT_NICE + bool "Restrict priority changes" + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to raise + the priority of processes in the chroot, or alter the priority of + processes outside the chroot. This provides more security than simply + removing CAP_SYS_NICE from the process' capability set. If the + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" + is created. + +config GRKERNSEC_CHROOT_SYSCTL + bool "Deny sysctl writes" + depends on GRKERNSEC_CHROOT + help + If you say Y here, an attacker in a chroot will not be able to + write to sysctl entries, either by sysctl(2) or through a /proc + interface. It is strongly recommended that you say Y here. If the + sysctl option is enabled, a sysctl option with name + "chroot_deny_sysctl" is created. + +config GRKERNSEC_CHROOT_CAPS + bool "Capability restrictions" + depends on GRKERNSEC_CHROOT + help + If you say Y here, the capabilities on all root processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, rebooting the system, modifying immutable + files, modifying IPC owned by another, and changing the system time. + This is left an option because it can break some apps. Disable this + if your chrooted apps are having problems performing those kinds of + tasks. If the sysctl option is enabled, a sysctl option with + name "chroot_caps" is created. + +endmenu +menu "Kernel Auditing" +depends on GRKERNSEC + +config GRKERNSEC_AUDIT_GROUP + bool "Single group for auditing" + help + If you say Y here, the exec, chdir, (un)mount, and ipc logging features + will only operate on a group you specify. This option is recommended + if you only want to watch certain users instead of having a large + amount of logs from the entire system. If the sysctl option is enabled, + a sysctl option with name "audit_group" is created. + +config GRKERNSEC_AUDIT_GID + int "GID for auditing" + depends on GRKERNSEC_AUDIT_GROUP + default 1007 + +config GRKERNSEC_EXECLOG + bool "Exec logging" + help + If you say Y here, all execve() calls will be logged (since the + other exec*() calls are frontends to execve(), all execution + will be logged). Useful for shell-servers that like to keep track + of their users. If the sysctl option is enabled, a sysctl option with + name "exec_logging" is created. + WARNING: This option when enabled will produce a LOT of logs, especially + on an active system. + +config GRKERNSEC_RESLOG + bool "Resource logging" + help + If you say Y here, all attempts to overstep resource limits will + be logged with the resource name, the requested size, and the current + limit. It is highly recommended that you say Y here. + +config GRKERNSEC_CHROOT_EXECLOG + bool "Log execs within chroot" + help + If you say Y here, all executions inside a chroot jail will be logged + to syslog. This can cause a large amount of logs if certain + applications (eg. djb's daemontools) are installed on the system, and + is therefore left as an option. If the sysctl option is enabled, a + sysctl option with name "chroot_execlog" is created. + +config GRKERNSEC_AUDIT_CHDIR + bool "Chdir logging" + help + If you say Y here, all chdir() calls will be logged. If the sysctl + option is enabled, a sysctl option with name "audit_chdir" is created. + +config GRKERNSEC_AUDIT_MOUNT + bool "(Un)Mount logging" + help + If you say Y here, all mounts and unmounts will be logged. If the + sysctl option is enabled, a sysctl option with name "audit_mount" is + created. + +config GRKERNSEC_AUDIT_IPC + bool "IPC logging" + help + If you say Y here, creation and removal of message queues, semaphores, + and shared memory will be logged. If the sysctl option is enabled, a + sysctl option with name "audit_ipc" is created. + +config GRKERNSEC_SIGNAL + bool "Signal logging" + help + If you say Y here, certain important signals will be logged, such as + SIGSEGV, which will as a result inform you of when a error in a program + occurred, which in some cases could mean a possible exploit attempt. + If the sysctl option is enabled, a sysctl option with name + "signal_logging" is created. + +config GRKERNSEC_FORKFAIL + bool "Fork failure logging" + help + If you say Y here, all failed fork() attempts will be logged. + This could suggest a fork bomb, or someone attempting to overstep + their process limit. If the sysctl option is enabled, a sysctl option + with name "forkfail_logging" is created. + +config GRKERNSEC_TIME + bool "Time change logging" + help + If you say Y here, any changes of the system clock will be logged. + If the sysctl option is enabled, a sysctl option with name + "timechange_logging" is created. + +config GRKERNSEC_PROC_IPADDR + bool "/proc//ipaddr support" + help + If you say Y here, a new entry will be added to each /proc/ + directory that contains the IP address of the person using the task. + The IP is carried across local TCP and AF_UNIX stream sockets. + This information can be useful for IDS/IPSes to perform remote response + to a local attack. The entry is readable by only the owner of the + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via + the RBAC system), and thus does not create privacy concerns. + +endmenu + +menu "Executable Protections" +depends on GRKERNSEC + +config GRKERNSEC_EXECVE + bool "Enforce RLIMIT_NPROC on execs" + help + If you say Y here, users with a resource limit on processes will + have the value checked during execve() calls. The current system + only checks the system limit during fork() calls. If the sysctl option + is enabled, a sysctl option with name "execve_limiting" is created. + +config GRKERNSEC_DMESG + bool "Dmesg(8) restriction" + help + If you say Y here, non-root users will not be able to use dmesg(8) + to view up to the last 4kb of messages in the kernel's log buffer. + If the sysctl option is enabled, a sysctl option with name "dmesg" is + created. + +config GRKERNSEC_RANDPID + bool "Randomized PIDs" + help + If you say Y here, all PIDs created on the system will be + pseudo-randomly generated. This is extremely effective along + with the /proc restrictions to disallow an attacker from guessing + pids of daemons, etc. PIDs are also used in some cases as part + of a naming system for temporary files, so this option would keep + those filenames from being predicted as well. We also use code + to make sure that PID numbers aren't reused too soon. If the sysctl + option is enabled, a sysctl option with name "rand_pids" is created. + +config GRKERNSEC_TPE + bool "Trusted Path Execution (TPE)" + help + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." + These users will not be able to execute any files that are not in + root-owned directories writable only by root. If the sysctl option + is enabled, a sysctl option with name "tpe" is created. + +config GRKERNSEC_TPE_ALL + bool "Partially restrict non-root users" + depends on GRKERNSEC_TPE + help + If you say Y here, All non-root users other than the ones in the + group specified in the main TPE option will only be allowed to + execute files in directories they own that are not group or + world-writable, or in directories owned by root and writable only by + root. If the sysctl option is enabled, a sysctl option with name + "tpe_restrict_all" is created. + +config GRKERNSEC_TPE_GID + int "GID for untrusted users" + depends on GRKERNSEC_TPE + default 1005 + help + Here you can choose the GID to enable trusted path protection for. + Remember to add the users you want protection enabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "tpe_gid" is created. + +endmenu +menu "Network Protections" +depends on GRKERNSEC + +config GRKERNSEC_RANDNET + bool "Larger entropy pools" + help + If you say Y here, the entropy pools used for many features of Linux + and grsecurity will be doubled in size. Since several grsecurity + features use additional randomness, it is recommended that you say Y + here. Saying Y here has a similar effect as modifying + /proc/sys/kernel/random/poolsize. + +config GRKERNSEC_RANDISN + bool "Truly random TCP ISN selection" + help + If you say Y here, Linux's default selection of TCP Initial Sequence + Numbers (ISNs) will be replaced with that of OpenBSD. Linux uses + an MD4 hash based on the connection plus a time value to create the + ISN, while OpenBSD's selection is random. If the sysctl option is + enabled, a sysctl option with name "rand_isns" is created. + +config GRKERNSEC_RANDID + bool "Randomized IP IDs" + help + If you say Y here, all the id field on all outgoing packets + will be randomized. This hinders os fingerprinters and + keeps your machine from being used as a bounce for an untraceable + portscan. Ids are used for fragmented packets, fragments belonging + to the same packet have the same id. By default linux only + increments the id value on each packet sent to an individual host. + We use a port of the OpenBSD random ip id code to achieve the + randomness, while keeping the possibility of id duplicates to + near none. If the sysctl option is enabled, a sysctl option with name + "rand_ip_ids" is created. + +config GRKERNSEC_RANDSRC + bool "Randomized TCP source ports" + default n if GRKERNSEC_LOW || GRKERNSEC_MID + default y if GRKERNSEC_HIGH + help + If you say Y here, situations where a source port is generated on the + fly for the TCP protocol (ie. with connect() ) will be altered so that + the source port is generated at random, instead of a simple incrementing + algorithm. If the sysctl option is enabled, a sysctl option with name + "rand_tcp_src_ports" is created. + +config GRKERNSEC_RANDRPC + bool "Randomized RPC XIDs" + help + If you say Y here, the method of determining XIDs for RPC requests will + be randomized, instead of using linux's default behavior of simply + incrementing the XID. If you want your RPC connections to be more + secure, say Y here. If the sysctl option is enabled, a sysctl option + with name "rand_rpc" is created. + +config GRKERNSEC_SOCKET + bool "Socket restrictions" + help + If you say Y here, you will be able to choose from several options. + If you assign a GID on your system and add it to the supplementary + groups of users you want to restrict socket access to, this patch + will perform up to three things, based on the option(s) you choose. + +config GRKERNSEC_SOCKET_ALL + bool "Deny any sockets to group" + depends on GRKERNSEC_SOCKET + help + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine or run server + applications from your machine. If the sysctl option is enabled, a + sysctl option with name "socket_all" is created. + +config GRKERNSEC_SOCKET_ALL_GID + int "GID to deny all sockets for" + depends on GRKERNSEC_SOCKET_ALL + default 1004 + help + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_all_gid" is created. + +config GRKERNSEC_SOCKET_CLIENT + bool "Deny client sockets to group" + depends on GRKERNSEC_SOCKET + help + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine, but will be + able to run servers. If this option is enabled, all users in the group + you specify will have to use passive mode when initiating ftp transfers + from the shell on your machine. If the sysctl option is enabled, a + sysctl option with name "socket_client" is created. + +config GRKERNSEC_SOCKET_CLIENT_GID + int "GID to deny client sockets for" + depends on GRKERNSEC_SOCKET_CLIENT + default 1003 + help + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_client_gid" is created. + +config GRKERNSEC_SOCKET_SERVER + bool "Deny server sockets to group" + depends on GRKERNSEC_SOCKET + help + If you say Y here, you will be able to choose a GID of whose users will + be unable to run server applications from your machine. If the sysctl + option is enabled, a sysctl option with name "socket_server" is created. + +config GRKERNSEC_SOCKET_SERVER_GID + int "GID to deny server sockets for" + depends on GRKERNSEC_SOCKET_SERVER + default 1002 + help + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_server_gid" is created. + +endmenu +menu "Sysctl support" +depends on GRKERNSEC && SYSCTL + +config GRKERNSEC_SYSCTL + bool "Sysctl support" + help + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your + kernel. You can echo values to files in /proc/sys/kernel/grsecurity + to enable (1) or disable (0) various features. All the sysctl entries + are mutable until the "grsec_lock" entry is set to a non-zero value. + All features are disabled by default. Please note that this option could + reduce the effectiveness of the added security of this patch if an ACL + system is not put in place. Your init scripts should be read-only, and + root should not have access to adding modules or performing raw i/o + operations. All options should be set at startup, and the grsec_lock + entry should be set to a non-zero value after all the options are set. + *THIS IS EXTREMELY IMPORTANT* + +endmenu +menu "Logging Options" +depends on GRKERNSEC + +config GRKERNSEC_FLOODTIME + int "Seconds in between log messages (minimum)" + default 10 + help + This option allows you to enforce the number of seconds between + grsecurity log messages. The default should be suitable for most + people, however, if you choose to change it, choose a value small enough + to allow informative logs to be produced, but large enough to + prevent flooding. + +config GRKERNSEC_FLOODBURST + int "Number of messages in a burst (maximum)" + default 4 + help + This option allows you to choose the maximum number of messages allowed + within the flood time interval you chose in a separate option. The + default should be suitable for most people, however if you find that + many of your logs are being interpreted as flooding, you may want to + raise this value. + +endmenu + +endmenu diff -uNr linux-2.6.7-rc1.orig/grsecurity/Makefile linux-2.6.7-rc1/grsecurity/Makefile --- linux-2.6.7-rc1.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/Makefile 2004-05-25 14:33:58.847414160 +0200 @@ -0,0 +1,21 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001, 2002, and 2003 it has been completely redesigned by +# Brad Spengler +# +# All code in this directory and various hooks inserted throughout the kernel +# are copyright Brad Spengler, and released under the GPL, unless otherwise +# noted (as in obsd_rand.c) + +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_rand.o grsec_sig.o grsec_sock.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o + +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o obsd_rand.o \ + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ + gracl_learn.o +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o + +ifndef CONFIG_GRKERNSEC +obj-y += grsec_disabled.o +endif + diff -uNr linux-2.6.7-rc1.orig/grsecurity/obsd_rand.c linux-2.6.7-rc1/grsecurity/obsd_rand.c --- linux-2.6.7-rc1.orig/grsecurity/obsd_rand.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/grsecurity/obsd_rand.c 2004-05-25 14:33:58.964396376 +0200 @@ -0,0 +1,186 @@ + +/* + * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff. + * + * Version 1.89, last modified 19-Sep-99 + * + * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. + * All rights reserved. + * + * Copyright 1998 Niels Provos + * All rights reserved. + * Theo de Raadt came up with the idea of using + * such a mathematical system to generate more random (yet non-repeating) + * ids to solve the resolver/named problem. But Niels designed the + * actual system based on the constraints. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer, + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include + +#define RU_OUT 180 +#define RU_MAX 30000 +#define RU_GEN 2 +#define RU_N 32749 +#define RU_AGEN 7 +#define RU_M 31104 +#define PFAC_N 3 +const static __u16 pfacts[PFAC_N] = { 2, 3, 2729 }; + +static __u16 ru_x; +static __u16 ru_seed, ru_seed2; +static __u16 ru_a, ru_b; +static __u16 ru_g; +static __u16 ru_counter = 0; +static __u16 ru_msb = 0; +static unsigned long ru_reseed = 0; +static __u32 tmp; + +#define TCP_RNDISS_ROUNDS 15 +#define TCP_RNDISS_OUT 7200 +#define TCP_RNDISS_MAX 30000 + +static __u8 tcp_rndiss_sbox[128]; +static __u16 tcp_rndiss_msb; +static __u16 tcp_rndiss_cnt; +static unsigned long tcp_rndiss_reseed; + +static __u16 pmod(__u16, __u16, __u16); +static void ip_initid(void); +__u16 ip_randomid(void); + +static __u16 +pmod(__u16 gen, __u16 exp, __u16 mod) +{ + __u16 s, t, u; + + s = 1; + t = gen; + u = exp; + + while (u) { + if (u & 1) + s = (s * t) % mod; + u >>= 1; + t = (t * t) % mod; + } + return (s); +} + +static void +ip_initid(void) +{ + __u16 j, i; + int noprime = 1; + + ru_x = ((tmp = get_random_long()) & 0xFFFF) % RU_M; + + ru_seed = (tmp >> 16) & 0x7FFF; + ru_seed2 = get_random_long() & 0x7FFF; + + ru_b = ((tmp = get_random_long()) & 0xfffe) | 1; + ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M); + while (ru_b % 3 == 0) + ru_b += 2; + + j = (tmp = get_random_long()) % RU_N; + tmp = tmp >> 16; + + while (noprime) { + for (i = 0; i < PFAC_N; i++) + if (j % pfacts[i] == 0) + break; + + if (i >= PFAC_N) + noprime = 0; + else + j = (j + 1) % RU_N; + } + + ru_g = pmod(RU_GEN, j, RU_N); + ru_counter = 0; + + ru_reseed = xtime.tv_sec + RU_OUT; + ru_msb = ru_msb == 0x8000 ? 0 : 0x8000; +} + +__u16 +ip_randomid(void) +{ + int i, n; + + if (ru_counter >= RU_MAX || time_after(get_seconds(), ru_reseed)) + ip_initid(); + + if (!tmp) + tmp = get_random_long(); + + n = tmp & 0x3; + tmp = tmp >> 2; + if (ru_counter + n >= RU_MAX) + ip_initid(); + for (i = 0; i <= n; i++) + ru_x = (ru_a * ru_x + ru_b) % RU_M; + ru_counter += i; + + return ((ru_seed ^ pmod(ru_g, ru_seed2 ^ ru_x, RU_N)) | ru_msb); +} + +__u16 +tcp_rndiss_encrypt(__u16 val) +{ + __u16 sum = 0, i; + + for (i = 0; i < TCP_RNDISS_ROUNDS; i++) { + sum += 0x79b9; + val ^= ((__u16) tcp_rndiss_sbox[(val ^ sum) & 0x7f]) << 7; + val = ((val & 0xff) << 7) | (val >> 8); + } + + return val; +} + +static void +tcp_rndiss_init(void) +{ + get_random_bytes(tcp_rndiss_sbox, sizeof (tcp_rndiss_sbox)); + tcp_rndiss_reseed = get_seconds() + TCP_RNDISS_OUT; + tcp_rndiss_msb = tcp_rndiss_msb == 0x8000 ? 0 : 0x8000; + tcp_rndiss_cnt = 0; +} + +__u32 +ip_randomisn(void) +{ + if (tcp_rndiss_cnt >= TCP_RNDISS_MAX || + time_after(get_seconds(), tcp_rndiss_reseed)) + tcp_rndiss_init(); + + return (((tcp_rndiss_encrypt(tcp_rndiss_cnt++) | + tcp_rndiss_msb) << 16) | (get_random_long() & 0x7fff)); +} diff -uNr linux-2.6.7-rc1.orig/include/asm-i386/module.h linux-2.6.7-rc1/include/asm-i386/module.h --- linux-2.6.7-rc1.orig/include/asm-i386/module.h 2004-05-23 07:53:35.000000000 +0200 +++ linux-2.6.7-rc1/include/asm-i386/module.h 2004-05-25 14:33:59.087377680 +0200 @@ -60,12 +60,18 @@ #define MODULE_REGPARM "" #endif +#ifdef CONFIG_GRKERNSEC +#define MODULE_GRSEC "GRSECURITY " +#else +#define MODULE_GRSEC "" +#endif + #ifdef CONFIG_4KSTACKS #define MODULE_STACKSIZE "4KSTACKS " #else #define MODULE_STACKSIZE "" #endif -#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE MODULE_GRSEC #endif /* _ASM_I386_MODULE_H */ diff -uNr linux-2.6.7-rc1.orig/include/linux/binfmts.h linux-2.6.7-rc1/include/linux/binfmts.h --- linux-2.6.7-rc1.orig/include/linux/binfmts.h 2004-05-23 07:54:18.000000000 +0200 +++ linux-2.6.7-rc1/include/linux/binfmts.h 2004-05-25 14:33:59.302345000 +0200 @@ -36,6 +36,7 @@ of the time same as filename, but could be different for binfmt_{misc,script} */ unsigned long loader, exec; + int misc; }; /* diff -uNr linux-2.6.7-rc1.orig/include/linux/fs.h linux-2.6.7-rc1/include/linux/fs.h --- linux-2.6.7-rc1.orig/include/linux/fs.h 2004-05-23 07:53:47.000000000 +0200 +++ linux-2.6.7-rc1/include/linux/fs.h 2004-05-25 14:33:59.335339984 +0200 @@ -1192,7 +1192,7 @@ /* fs/open.c */ -extern int do_truncate(struct dentry *, loff_t start); +extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *); extern struct file *filp_open(const char *, int, int); extern struct file * dentry_open(struct dentry *, struct vfsmount *, int); extern int filp_close(struct file *, fl_owner_t id); diff -uNr linux-2.6.7-rc1.orig/include/linux/gracl.h linux-2.6.7-rc1/include/linux/gracl.h --- linux-2.6.7-rc1.orig/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/gracl.h 2004-05-25 14:33:59.339339376 +0200 @@ -0,0 +1,246 @@ +#ifndef GR_ACL_H +#define GR_ACL_H +#endif +#include +#include +#include +#include + +/* * * * * * * * * * * * * * * * * * * * * + * grsecurity ACL System + * Main header file + * Purpose: define most gracl data structures + * * * * * * * * * * * * * * * * * * * * */ + +/* Major status information */ + +#define GR_VERSION "grsecurity 2.0" + +enum { + + SHUTDOWN = 0, + ENABLE = 1, + SPROLE = 2, + RELOAD = 3, + SEGVMOD = 4, + STATUS = 5, + UNSPROLE = 6 +}; + +/* Password setup definitions + * kernel/grhash.c */ +enum { + GR_PW_LEN = 128, + GR_SALT_LEN = 16, + GR_SHA_LEN = 32, +}; + +enum { + GR_SPROLE_LEN = 64, +}; + +/* Begin Data Structures */ + +struct sprole_pw { + unsigned char *rolename; + unsigned char salt[GR_SALT_LEN]; + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */ +}; + +struct name_entry { + ino_t inode; + dev_t device; + char *name; + __u16 len; +}; + +struct acl_role_db { + struct acl_role_label **r_hash; + __u32 r_size; +}; + +struct name_db { + struct name_entry **n_hash; + __u32 n_size; +}; + +struct crash_uid { + uid_t uid; + unsigned long expires; +}; + +struct gr_hash_struct { + void **table; + void **nametable; + void *first; + __u32 table_size; + __u32 used_size; + int type; +}; + +/* Userspace Grsecurity ACL data structures */ +struct acl_subject_label { + char *filename; + ino_t inode; + dev_t device; + __u32 mode; + __u32 cap_mask; + __u32 cap_lower; + + struct rlimit res[RLIM_NLIMITS + 1]; + __u16 resmask; + + __u8 user_trans_type; + __u8 group_trans_type; + uid_t *user_transitions; + gid_t *group_transitions; + __u16 user_trans_num; + __u16 group_trans_num; + + __u32 ip_proto[8]; + __u32 ip_type; + struct acl_ip_label **ips; + __u32 ip_num; + + __u32 crashes; + unsigned long expires; + + struct acl_subject_label *parent_subject; + struct gr_hash_struct *hash; + struct acl_ip_label *ip_object; + struct acl_subject_label *prev; + struct acl_subject_label *next; + + struct acl_object_label **obj_hash; + __u32 obj_hash_size; +}; + +struct role_allowed_ip { + __u32 addr; + __u32 netmask; + + struct role_allowed_ip *prev; + struct role_allowed_ip *next; +}; + +struct role_transition { + char *rolename; + + struct role_transition *prev; + struct role_transition *next; +}; + +struct acl_role_label { + char *rolename; + uid_t uidgid; + __u16 roletype; + + __u16 auth_attempts; + unsigned long expires; + + struct acl_subject_label *root_label; + struct gr_hash_struct *hash; + + struct acl_role_label *prev; + struct acl_role_label *next; + + struct role_transition *transitions; + struct role_allowed_ip *allowed_ips; + struct acl_subject_label **subj_hash; + __u32 subj_hash_size; +}; + +struct user_acl_role_db { + struct acl_role_label **r_table; + __u32 r_entries; /* number of entries in table */ + __u32 s_entries; /* total number of subject acls */ + __u32 i_entries; /* total number of ip acls */ + __u32 o_entries; /* Total number of object acls */ + __u32 g_entries; /* total number of globbed objects */ + __u32 a_entries; /* total number of allowed ips */ + __u32 t_entries; /* total number of transitions */ +}; + +struct acl_object_label { + char *filename; + ino_t inode; + dev_t device; + __u32 mode; + + struct acl_subject_label *nested; + struct acl_object_label *globbed; + + /* next two structures not used */ + + struct acl_object_label *prev; + struct acl_object_label *next; +}; + +struct acl_ip_label { + __u32 addr; + __u32 netmask; + __u16 low, high; + __u8 mode; + __u32 type; + __u32 proto[8]; + + /* next two structures not used */ + + struct acl_ip_label *prev; + struct acl_ip_label *next; +}; + +struct gr_arg { + struct user_acl_role_db role_db; + unsigned char pw[GR_PW_LEN]; + unsigned char salt[GR_SALT_LEN]; + unsigned char sum[GR_SHA_LEN]; + unsigned char sp_role[GR_SPROLE_LEN]; + struct sprole_pw *sprole_pws; + dev_t segv_device; + ino_t segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; +}; + +struct subject_map { + struct acl_subject_label *user; + struct acl_subject_label *kernel; +}; + +struct acl_subj_map_db { + struct subject_map **s_hash; + __u32 s_size; +}; + +/* End Data Structures Section */ + +/* Hash functions generated by empirical testing by Brad Spengler + Makes good use of the low bits of the inode. Generally 0-1 times + in loop for successful match. 0-3 for unsuccessful match. + Shift/add algorithm with modulus of table size and an XOR*/ + +static __inline__ unsigned long +rhash(const uid_t uid, const __u16 type, const unsigned long sz) +{ + return (((uid << type) + (uid ^ type)) % sz); +} + + static __inline__ unsigned long +shash(const struct acl_subject_label *userp, const unsigned long sz) +{ + return ((const unsigned long)userp % sz); +} + +static __inline__ unsigned long +fhash(const ino_t ino, const dev_t dev, const unsigned long sz) +{ + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); +} + +static __inline__ unsigned long +nhash(const char *name, const __u16 len, const unsigned long sz) +{ + return full_name_hash(name, len) % sz; +} diff -uNr linux-2.6.7-rc1.orig/include/linux/gralloc.h linux-2.6.7-rc1/include/linux/gralloc.h --- linux-2.6.7-rc1.orig/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/gralloc.h 2004-05-25 14:33:59.341339072 +0200 @@ -0,0 +1,8 @@ +#ifndef __GRALLOC_H +#define __GRALLOC_H + +void acl_free_all(void); +int acl_alloc_stack_init(unsigned long size); +void *acl_alloc(unsigned long len); + +#endif diff -uNr linux-2.6.7-rc1.orig/include/linux/grdefs.h linux-2.6.7-rc1/include/linux/grdefs.h --- linux-2.6.7-rc1.orig/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/grdefs.h 2004-05-25 14:33:59.342338920 +0200 @@ -0,0 +1,116 @@ +#ifndef GRDEFS_H +#define GRDEFS_H + +/* Begin grsecurity status declarations */ + +enum { + GR_READY = 0x01, + GR_STATUS_INIT = 0x00 // disabled state +}; + +/* Begin ACL declarations */ + +/* Role flags */ + +enum { + GR_ROLE_USER = 0x0001, + GR_ROLE_GROUP = 0x0002, + GR_ROLE_DEFAULT = 0x0004, + GR_ROLE_SPECIAL = 0x0008, + GR_ROLE_AUTH = 0x0010, + GR_ROLE_NOPW = 0x0020, + GR_ROLE_GOD = 0x0040, + GR_ROLE_LEARN = 0x0080, + GR_ROLE_TPE = 0x0100 +}; + +/* ACL Subject and Object mode flags */ +enum { + GR_DELETED = 0x00000080 +}; + +/* ACL Object-only mode flags */ +enum { + GR_READ = 0x00000001, + GR_APPEND = 0x00000002, + GR_WRITE = 0x00000004, + GR_EXEC = 0x00000008, + GR_FIND = 0x00000010, + GR_INHERIT = 0x00000040, + GR_PTRACERD = 0x00000100, + GR_SETID = 0x00000200, + GR_CREATE = 0x00000400, + GR_DELETE = 0x00000800, + GR_NOPTRACE = 0x00001000, + GR_AUDIT_READ = 0x00002000, + GR_AUDIT_APPEND = 0x00004000, + GR_AUDIT_WRITE = 0x00008000, + GR_AUDIT_EXEC = 0x00010000, + GR_AUDIT_FIND = 0x00020000, + GR_AUDIT_INHERIT= 0x00040000, + GR_AUDIT_SETID = 0x00080000, + GR_AUDIT_CREATE = 0x00100000, + GR_AUDIT_DELETE = 0x00200000, + GR_SUPPRESS = 0x00400000, + GR_NOLEARN = 0x00800000 +}; + +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \ + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \ + GR_AUDIT_CREATE | GR_AUDIT_DELETE) + +/* ACL subject-only mode flags */ +enum { + GR_KILL = 0x00000001, + GR_VIEW = 0x00000002, + GR_PROTECTED = 0x00000100, + GR_LEARN = 0x00000200, + GR_OVERRIDE = 0x00000400, + /* just a placeholder, this mode is only used in userspace */ + GR_DUMMY = 0x00000800, + GR_PAXPAGE = 0x00001000, + GR_PAXSEGM = 0x00002000, + GR_PAXGCC = 0x00004000, + GR_PAXRANDMMAP = 0x00008000, + GR_PAXRANDEXEC = 0x00010000, + GR_PAXMPROTECT = 0x00020000, + GR_PROTSHM = 0x00040000, + GR_KILLPROC = 0x00080000, + GR_KILLIPPROC = 0x00100000, + /* just a placeholder, this mode is only used in userspace */ + GR_NOTROJAN = 0x00200000, + GR_PROTPROCFD = 0x00400000, + GR_PROCACCT = 0x00800000, + GR_RELAXPTRACE = 0x01000000, + GR_NESTED = 0x02000000 +}; + +enum { + GR_ID_USER = 0x01, + GR_ID_GROUP = 0x02, +}; + +enum { + GR_ID_ALLOW = 0x01, + GR_ID_DENY = 0x02, +}; + +#define GR_CRASH_RES 11 +#define GR_UIDTABLE_MAX 500 + +/* begin resource learning section */ +enum { + GR_RLIM_CPU_BUMP = 60, + GR_RLIM_FSIZE_BUMP = 50000, + GR_RLIM_DATA_BUMP = 10000, + GR_RLIM_STACK_BUMP = 1000, + GR_RLIM_CORE_BUMP = 10000, + GR_RLIM_RSS_BUMP = 500000, + GR_RLIM_NPROC_BUMP = 1, + GR_RLIM_NOFILE_BUMP = 5, + GR_RLIM_MEMLOCK_BUMP = 50000, + GR_RLIM_AS_BUMP = 500000, + GR_RLIM_LOCKS_BUMP = 2 +}; + +#endif diff -uNr linux-2.6.7-rc1.orig/include/linux/grinternal.h linux-2.6.7-rc1/include/linux/grinternal.h --- linux-2.6.7-rc1.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/grinternal.h 2004-05-25 14:33:59.344338616 +0200 @@ -0,0 +1,200 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + +#ifdef CONFIG_GRKERNSEC + +#include +#include +#include + +extern void gr_add_learn_entry(const char *fmt, ...); +extern __u32 gr_search_file(const struct dentry *dentry, const __u32 mode, + const struct vfsmount *mnt); +extern __u32 gr_check_create(const struct dentry *new_dentry, + const struct dentry *parent, + const struct vfsmount *mnt, const __u32 mode); +extern int gr_check_protected_task(const struct task_struct *task); +extern __u32 to_gr_audit(const __u32 reqmode); +extern int gr_set_acls(const int type); + +extern void gr_handle_alertkill(void); +extern char *gr_to_filename(const struct dentry *dentry, + const struct vfsmount *mnt); +extern char *gr_to_filename1(const struct dentry *dentry, + const struct vfsmount *mnt); +extern char *gr_to_filename2(const struct dentry *dentry, + const struct vfsmount *mnt); +extern char *gr_to_filename3(const struct dentry *dentry, + const struct vfsmount *mnt); + +extern int grsec_enable_link; +extern int grsec_enable_fifo; +extern int grsec_enable_execve; +extern int grsec_enable_forkbomb; +extern int grsec_forkbomb_gid; +extern int grsec_forkbomb_sec; +extern int grsec_forkbomb_max; +extern int grsec_enable_execlog; +extern int grsec_enable_signal; +extern int grsec_enable_forkfail; +extern int grsec_enable_time; +extern int grsec_enable_chroot_shmat; +extern int grsec_enable_chroot_findtask; +extern int grsec_enable_chroot_mount; +extern int grsec_enable_chroot_double; +extern int grsec_enable_chroot_pivot; +extern int grsec_enable_chroot_chdir; +extern int grsec_enable_chroot_chmod; +extern int grsec_enable_chroot_mknod; +extern int grsec_enable_chroot_fchdir; +extern int grsec_enable_chroot_nice; +extern int grsec_enable_chroot_execlog; +extern int grsec_enable_chroot_caps; +extern int grsec_enable_chroot_sysctl; +extern int grsec_enable_chroot_unix; +extern int grsec_enable_tpe; +extern int grsec_tpe_gid; +extern int grsec_enable_tpe_all; +extern int grsec_enable_sidcaps; +extern int grsec_enable_randpid; +extern int grsec_enable_socket_all; +extern int grsec_socket_all_gid; +extern int grsec_enable_socket_client; +extern int grsec_socket_client_gid; +extern int grsec_enable_socket_server; +extern int grsec_socket_server_gid; +extern int grsec_audit_gid; +extern int grsec_enable_group; +extern int grsec_enable_audit_ipc; +extern int grsec_enable_mount; +extern int grsec_enable_chdir; +extern int grsec_lock; + +extern struct task_struct *child_reaper; + +extern spinlock_t grsec_alert_lock; +extern unsigned long grsec_alert_wtime; +extern unsigned long grsec_alert_fyet; + +extern spinlock_t grsec_alertgood_lock; +extern unsigned long grsec_alertgood_wtime; +extern unsigned long grsec_alertgood_fyet; + +extern spinlock_t grsec_audit_lock; + +#define gr_task_fullpath(tsk) (tsk->exec_file ? \ + gr_to_filename2(tsk->exec_file->f_dentry, \ + tsk->exec_file->f_vfsmnt) : "/") + +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \ + gr_to_filename3(tsk->parent->exec_file->f_dentry, \ + tsk->parent->exec_file->f_vfsmnt) : "/") + +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \ + gr_to_filename(tsk->exec_file->f_dentry, \ + tsk->exec_file->f_vfsmnt) : "/") + +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \ + gr_to_filename1(tsk->parent->exec_file->f_dentry, \ + tsk->parent->exec_file->f_vfsmnt) : "/") + +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && \ + ((tsk_a->fs->root->d_inode->i_sb->s_dev != \ + child_reaper->fs->root->d_inode->i_sb->s_dev) || \ + (tsk_a->fs->root->d_inode->i_ino != \ + child_reaper->fs->root->d_inode->i_ino))) + +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_sb->s_dev == \ + tsk_b->fs->root->d_inode->i_sb->s_dev) && \ + (tsk_a->fs->root->d_inode->i_ino == \ + tsk_b->fs->root->d_inode->i_ino)) + +#define DEFAULTSECARGS gr_task_fullpath(current), current->comm, \ + current->pid, current->uid, \ + current->euid, current->gid, current->egid, \ + gr_parent_task_fullpath(current), \ + current->parent->comm, current->parent->pid, \ + current->parent->uid, current->parent->euid, \ + current->parent->gid, current->parent->egid + +#define GR_CHROOT_CAPS ( \ + CAP_TO_MASK(CAP_FOWNER) | \ + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \ + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \ + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \ + CAP_TO_MASK(CAP_IPC_OWNER)) + +#define security_alert_good(normal_msg,args...) \ +({ \ + spin_lock(&grsec_alertgood_lock); \ + \ + if (!grsec_alertgood_wtime || get_seconds() - grsec_alertgood_wtime > CONFIG_GRKERNSEC_FLOODTIME) { \ + grsec_alertgood_wtime = get_seconds(); grsec_alertgood_fyet = 0; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if((get_seconds() - grsec_alertgood_wtime < CONFIG_GRKERNSEC_FLOODTIME) && (grsec_alertgood_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \ + grsec_alertgood_fyet++; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if (grsec_alertgood_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \ + grsec_alertgood_wtime = get_seconds(); grsec_alertgood_fyet++; \ + printk(KERN_ALERT "grsec: more alerts, logging disabled for " \ + "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \ + } \ + \ + spin_unlock(&grsec_alertgood_lock); \ +}) + +#define security_alert(normal_msg,args...) \ +({ \ + spin_lock(&grsec_alert_lock); \ + \ + if (!grsec_alert_wtime || get_seconds() - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME) { \ + grsec_alert_wtime = get_seconds(); grsec_alert_fyet = 0; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if((get_seconds() - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \ + grsec_alert_fyet++; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \ + grsec_alert_wtime = get_seconds(); grsec_alert_fyet++; \ + printk(KERN_ALERT "grsec: more alerts, logging disabled for " \ + "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \ + } \ + \ + gr_handle_alertkill(); \ + spin_unlock(&grsec_alert_lock); \ +}) + +#define security_audit(normal_msg,args...) \ +({ \ + spin_lock(&grsec_audit_lock); \ + if (current->curr_ip) \ + printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \ + NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \ + spin_unlock(&grsec_audit_lock); \ +}) + +#define security_learn(normal_msg,args...) \ +({ \ + preempt_disable(); \ + gr_add_learn_entry(normal_msg "\n", ## args); \ + preempt_enable(); \ +}) + +#endif + +#endif diff -uNr linux-2.6.7-rc1.orig/include/linux/grmsg.h linux-2.6.7-rc1/include/linux/grmsg.h --- linux-2.6.7-rc1.orig/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/grmsg.h 2004-05-25 14:33:59.347338160 +0200 @@ -0,0 +1,107 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d, parent %.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " DEFAULTSECMSG +#define GR_IOPERM_MSG "denied use of ioperm() by " DEFAULTSECMSG +#define GR_IOPL_MSG "denied use of iopl() by " DEFAULTSECMSG +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " DEFAULTSECMSG +#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG +#define GR_KMEM_MSG "attempted write to /dev/kmem by " DEFAULTSECMSG +#define GR_PORT_OPEN_MSG "attempted open of /dev/port by " DEFAULTSECMSG +#define GR_MEM_WRITE_MSG "attempted write of /dev/mem by " DEFAULTSECMSG +#define GR_MEM_MMAP_MSG "attempted mmap write of /dev/[k]mem by " DEFAULTSECMSG +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by " DEFAULTSECMSG +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u" +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by " DEFAULTSECMSG +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " DEFAULTSECMSG +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by " DEFAULTSECMSG +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by " DEFAULTSECMSG +#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by " DEFAULTSECMSG +#define GR_UNIXCONNECT_ACL_MSG "%s connect to the unix domain socket %.950s by " DEFAULTSECMSG +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by " DEFAULTSECMSG +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by " DEFAULTSECMSG +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by " DEFAULTSECMSG +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by " DEFAULTSECMSG +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for " DEFAULTSECMSG +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by " DEFAULTSECMSG +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by " DEFAULTSECMSG +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by " DEFAULTSECMSG +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " DEFAULTSECMSG +#define GR_NPROC_MSG "attempt to overstep process limit by " DEFAULTSECMSG +#define GR_EXEC_ACL_MSG "%s execution of %.950s by " DEFAULTSECMSG +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning uid %u from login for %lu seconds" +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning execution for %lu seconds" +#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG +#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by " DEFAULTSECMSG +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " DEFAULTSECMSG +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " DEFAULTSECMSG +#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " DEFAULTSECMSG +#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " DEFAULTSECMSG +#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by " DEFAULTSECMSG +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " DEFAULTSECMSG +#define GR_INITF_ACL_MSG "init_variables() failed %s" +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use gracl=off from your boot loader" +#define GR_DEV_ACL_MSG "/dev/grsec: being fed garbage %d bytes sent %d required" +#define GR_SHUTS_ACL_MSG "shutdown auth success for " DEFAULTSECMSG +#define GR_SHUTF_ACL_MSG "shutdown auth failure for " DEFAULTSECMSG +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for " DEFAULTSECMSG +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for " DEFAULTSECMSG +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for " DEFAULTSECMSG +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for " DEFAULTSECMSG +#define GR_ENABLE_ACL_MSG "Loaded %s" +#define GR_ENABLEF_ACL_MSG "Unable to load %s for " DEFAULTSECMSG " RBAC system may already be enabled." +#define GR_RELOADI_ACL_MSG "Ignoring reload request for disabled RBAC system" +#define GR_RELOAD_ACL_MSG "Reloaded %s" +#define GR_RELOADF_ACL_MSG "Failed reload of %s for " DEFAULTSECMSG +#define GR_SPROLEI_ACL_MSG "Ignoring change to special role for disabled RBAC system for " DEFAULTSECMSG +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by " DEFAULTSECMSG +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by " DEFAULTSECMSG +#define GR_SPROLEF_ACL_MSG "special role %s failure for " DEFAULTSECMSG +#define GR_UNSPROLEI_ACL_MSG "Ignoring unauth of special role for disabled RBAC system for " DEFAULTSECMSG +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by " DEFAULTSECMSG +#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for " DEFAULTSECMSG +#define GR_INVMODE_ACL_MSG "Invalid mode %d by " DEFAULTSECMSG +#define GR_MAXPW_ACL_MSG "Maximum pw attempts reached (%d), locking password authentication" +#define GR_MAXROLEPW_ACL_MSG "Maximum pw attempts reached (%d) trying to auth to special role %s, locking auth for role of " DEFAULTSECMSG +#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG +#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG +#define GR_FAILFORK_MSG "failed fork with errno %d by " DEFAULTSECMSG +#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG +#define GR_UNISIGLOG_MSG "signal %d sent to " DEFAULTSECMSG +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by " DEFAULTSECMSG +#define GR_SIG_ACL_MSG "Attempted send of signal %d to protected task " DEFAULTSECMSG " by " DEFAULTSECMSG +#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by " DEFAULTSECMSG +#define GR_TIME_MSG "time set by " DEFAULTSECMSG +#define GR_DEFACL_MSG "Fatal: Unable to find ACL for (%.16s:%d)" +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " DEFAULTSECMSG +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " DEFAULTSECMSG +#define GR_SOCK_MSG "attempted socket(%.16s,%.16s,%.16s) by " DEFAULTSECMSG +#define GR_SOCK2_MSG "attempted socket(%d,%.16s,%.16s) by " DEFAULTSECMSG +#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG +#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG +#define GR_BIND_ACL_MSG "attempted bind to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG +#define GR_CONNECT_ACL_MSG "attempted connect to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u" +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG +#define GR_CAP_ACL_MSG "use of %s denied for " DEFAULTSECMSG +#define GR_USRCHANGE_ACL_MSG "change to uid %d denied for " DEFAULTSECMSG +#define GR_GRPCHANGE_ACL_MSG "change to gid %d denied for " DEFAULTSECMSG +#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by " DEFAULTSECMSG +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by " DEFAULTSECMSG +#define GR_MOUNT_AUDIT_MSG "mount %.30s to %.64s by " DEFAULTSECMSG +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by " DEFAULTSECMSG +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.63s) by " DEFAULTSECMSG +#define GR_MSGQ_AUDIT_MSG "message queue created by " DEFAULTSECMSG +#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_SEM_AUDIT_MSG "semaphore created by " DEFAULTSECMSG +#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_SHM_AUDIT_MSG "shared memory of size %d created by " DEFAULTSECMSG +#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_RESOURCE_MSG "attempted resource overstep by requesting %lu for %.16s against limit %lu by " DEFAULTSECMSG diff -uNr linux-2.6.7-rc1.orig/include/linux/grsecurity.h linux-2.6.7-rc1/include/linux/grsecurity.h --- linux-2.6.7-rc1.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/include/linux/grsecurity.h 2004-05-25 14:33:59.349337856 +0200 @@ -0,0 +1,187 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include +#include + +extern int gr_check_user_change(int real, int effective, int fs); +extern int gr_check_group_change(int real, int effective, int fs); + +extern void gr_add_to_task_ip_table(struct task_struct *p); +extern void gr_del_task_from_ip_table(struct task_struct *p); + +extern int gr_pid_is_chrooted(const struct task_struct *p); +extern int gr_handle_chroot_nice(void); +extern int gr_handle_chroot_sysctl(const int op); +extern int gr_handle_chroot_capset(const struct task_struct *target); +extern int gr_handle_chroot_setpriority(struct task_struct *p, + const int niceval); +extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt); +extern int gr_handle_chroot_chroot(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_chroot_caps(struct task_struct *task); +extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt); +extern int gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode); +extern int gr_handle_chroot_mknod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode); +extern int gr_handle_chroot_mount(const struct dentry *dentry, + const struct vfsmount *mnt, + const char *dev_name); +extern int gr_handle_chroot_pivot(void); +extern int gr_handle_chroot_unix(const pid_t pid); + +extern int gr_handle_rawio(const struct inode *inode); +extern int gr_handle_nproc(void); + +extern void gr_handle_ioperm(void); +extern void gr_handle_iopl(void); + +extern int gr_tpe_allow(const struct file *file); + +extern int gr_random_pid(void); + +extern void gr_log_forkfail(const int retval); +extern void gr_log_timechange(void); +extern void gr_log_signal(const int sig, const struct task_struct *t); +extern void gr_log_chdir(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_exec_args(struct linux_binprm *bprm, char **argv); +extern void gr_log_remount(const char *devname, const int retval); +extern void gr_log_unmount(const char *devname, const int retval); +extern void gr_log_mount(const char *from, const char *to, const int retval); +extern void gr_log_msgget(const int ret, const int msgflg); +extern void gr_log_msgrm(const uid_t uid, const uid_t cuid); +extern void gr_log_semget(const int err, const int semflg); +extern void gr_log_semrm(const uid_t uid, const uid_t cuid); +extern void gr_log_shmget(const int err, const int shmflg, const size_t size); +extern void gr_log_shmrm(const uid_t uid, const uid_t cuid); + +extern int gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_fifo(const struct dentry *dentry, + const struct vfsmount *mnt, + const struct dentry *dir, const int flag, + const int acc_mode); +extern int gr_handle_hardlink(const struct dentry *dentry, + const struct vfsmount *mnt, + struct inode *inode, + const int mode, const char *to); + +extern int gr_task_is_capable(struct task_struct *task, const int cap); +extern int gr_is_capable_nolog(const int cap); +extern void gr_learn_resource(const struct task_struct *task, const int limit, + const unsigned long wanted, const int gt); +extern void gr_copy_label(struct task_struct *tsk); +extern void gr_handle_crash(struct task_struct *task, const int sig); +extern int gr_handle_signal(const struct task_struct *p, const int sig); +extern int gr_check_crash_uid(const uid_t uid); +extern int gr_check_protected_task(const struct task_struct *task); +extern int gr_acl_handle_mmap(const struct file *file, + const unsigned long prot); +extern int gr_acl_handle_mprotect(const struct file *file, + const unsigned long prot); +extern int gr_check_hidden_task(const struct task_struct *tsk); +extern __u32 gr_acl_handle_truncate(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_utime(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_access(const struct dentry *dentry, + const struct vfsmount *mnt, const int fmode); +extern __u32 gr_acl_handle_fchmod(const struct dentry *dentry, + const struct vfsmount *mnt, mode_t mode); +extern __u32 gr_acl_handle_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, mode_t mode); +extern __u32 gr_acl_handle_chown(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_ptrace_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_ptrace(struct task_struct *task, const long request); +extern int gr_handle_proc_ptrace(struct task_struct *task); +extern int gr_handle_mmap(const struct file *filp, const unsigned long prot); +extern __u32 gr_acl_handle_execve(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_check_crash_exec(const struct file *filp); +extern int gr_acl_is_enabled(void); +extern void gr_set_kernel_label(struct task_struct *task); +extern void gr_set_role_label(struct task_struct *task, const uid_t uid, + const gid_t gid); +extern void gr_set_proc_label(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_hidden_file(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_open(const struct dentry *dentry, + const struct vfsmount *mnt, const int fmode); +extern __u32 gr_acl_handle_creat(const struct dentry *dentry, + const struct dentry *p_dentry, + const struct vfsmount *p_mnt, const int fmode, + const int imode); +extern void gr_handle_create(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_mknod(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const int mode); +extern __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt); +extern __u32 gr_acl_handle_rmdir(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_delete(const ino_t ino, const dev_t dev); +extern __u32 gr_acl_handle_unlink(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_symlink(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const char *from); +extern __u32 gr_acl_handle_link(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt, const char *to); +extern int gr_acl_handle_rename(struct dentry *new_dentry, + struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + struct dentry *old_dentry, + struct inode *old_parent_inode, + struct vfsmount *old_mnt, const char *newname); +extern void gr_handle_rename(struct inode *old_dir, struct inode *new_dir, + struct dentry *old_dentry, + struct dentry *new_dentry, + struct vfsmount *mnt, const __u8 replace); +extern __u32 gr_check_link(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt); +extern __u32 gr_acl_handle_filldir(const struct dentry *dentry, + const struct vfsmount *mnt, const ino_t ino); +extern __u32 gr_acl_handle_unix(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_acl_handle_exit(void); +extern void gr_acl_handle_psacct(struct task_struct *task, const long code); +extern int gr_acl_handle_procpidmem(const struct task_struct *task); +extern __u32 gr_cap_rtnetlink(void); + +#ifdef CONFIG_GRKERNSEC +extern void gr_handle_mem_write(void); +extern void gr_handle_kmem_write(void); +extern void gr_handle_open_port(void); +extern int gr_handle_mem_mmap(const unsigned long offset, + struct vm_area_struct *vma); + +extern __u16 ip_randomid(void); +extern __u32 ip_randomisn(void); +extern unsigned long get_random_long(void); + +extern int grsec_enable_dmesg; +extern int grsec_enable_randid; +extern int grsec_enable_randisn; +extern int grsec_enable_randsrc; +extern int grsec_enable_randrpc; +#endif + +#endif diff -uNr linux-2.6.7-rc1.orig/include/linux/proc_fs.h linux-2.6.7-rc1/include/linux/proc_fs.h --- linux-2.6.7-rc1.orig/include/linux/proc_fs.h 2004-05-23 07:55:03.000000000 +0200 +++ linux-2.6.7-rc1/include/linux/proc_fs.h 2004-05-25 14:33:59.376333752 +0200 @@ -221,7 +221,7 @@ #endif /* CONFIG_PROC_FS */ -#if !defined(CONFIG_PROC_FS) +#if !defined(CONFIG_PROC_FS) || !defined(CONFIG_PROC_KCORE) static inline void kclist_add(struct kcore_list *new, void *addr, size_t size) { } diff -uNr linux-2.6.7-rc1.orig/include/linux/sched.h linux-2.6.7-rc1/include/linux/sched.h --- linux-2.6.7-rc2/include/linux/sched.h.orig 2004-06-02 23:31:55.729266024 +0200 +++ linux-2.6.7-rc2/include/linux/sched.h 2004-06-02 23:34:05.803491736 +0200 @@ -31,6 +31,7 @@ #include struct exec_domain; +struct linux_binprm; /* * cloning flags: @@ -518,6 +519,21 @@ struct mempolicy *mempolicy; short il_next; /* could be shared with used_math */ #endif +#ifdef CONFIG_GRKERNSEC + /* grsecurity */ + struct acl_subject_label *acl; + struct acl_role_label *role; + struct file *exec_file; + u32 curr_ip; + u32 gr_saddr; + u32 gr_daddr; + u16 gr_sport; + u16 gr_dport; + u16 acl_role_id; + u8 acl_sp_role:1; + u8 used_accept:1; + u8 is_writable:1; +#endif }; static inline pid_t process_group(struct task_struct *tsk) @@ -816,14 +832,29 @@ : on_sig_stack(sp) ? SS_ONSTACK : 0); } +extern int gr_task_is_capable(struct task_struct *task, const int cap); +extern int gr_is_capable_nolog(const int cap); #ifdef CONFIG_SECURITY /* code is in security.c */ extern int capable(int cap); +static inline int capable_nolog(int cap) +{ + return capable(cap); +} #else static inline int capable(int cap) { - if (cap_raised(current->cap_effective, cap)) { + if (cap_raised(current->cap_effective, cap) && gr_task_is_capable(current, cap)) { + current->flags |= PF_SUPERPRIV; + return 1; + } + return 0; +} + +static inline int capable_nolog(int cap) +{ + if (cap_raised(current->cap_effective, cap) && gr_is_capable_nolog(cap)) { current->flags |= PF_SUPERPRIV; return 1; } diff -uNr linux-2.6.7-rc1.orig/include/linux/shm.h linux-2.6.7-rc1/include/linux/shm.h --- linux-2.6.7-rc1.orig/include/linux/shm.h 2004-05-23 07:54:29.000000000 +0200 +++ linux-2.6.7-rc1/include/linux/shm.h 2004-05-25 14:33:59.412328280 +0200 @@ -84,6 +84,10 @@ time_t shm_ctim; pid_t shm_cprid; pid_t shm_lprid; +#ifdef CONFIG_GRKERNSEC + time_t shm_createtime; + pid_t shm_lapid; +#endif }; /* shm_mode upper byte flags */ diff -uNr linux-2.6.7-rc1.orig/include/linux/sysctl.h linux-2.6.7-rc1/include/linux/sysctl.h --- linux-2.6.7-rc1.orig/include/linux/sysctl.h 2004-05-25 14:25:39.000000000 +0200 +++ linux-2.6.7-rc1/include/linux/sysctl.h 2004-05-25 14:33:59.418327368 +0200 @@ -133,6 +133,7 @@ KERN_NGROUPS_MAX=63, /* int: NGROUPS_MAX */ KERN_SPARC_SCONS_PWROFF=64, /* int: serial console power-off halt */ KERN_HZ_TIMER=65, /* int: hz timer on or off */ + KERN_GRSECURITY=68, /* grsecurity */ }; diff -uNr linux-2.6.7-rc1.orig/include/net/ip.h linux-2.6.7-rc1/include/net/ip.h --- linux-2.6.7-rc1.orig/include/net/ip.h 2004-05-25 14:25:40.000000000 +0200 +++ linux-2.6.7-rc1/include/net/ip.h 2004-05-25 14:33:59.430325544 +0200 @@ -34,6 +34,11 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +extern int grsec_enable_randid; +extern __u16 ip_randomid(void); +#endif + struct sock; struct inet_skb_parm @@ -191,6 +196,13 @@ static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, struct sock *sk) { + +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + iph->id = htons(ip_randomid()); + else +#endif + if (iph->frag_off & htons(IP_DF)) { /* This is only to work around buggy Windows95/2000 * VJ compression implementations. If the ID field diff -uNr linux-2.6.7-rc1.orig/init/Kconfig linux-2.6.7-rc1/init/Kconfig --- linux-2.6.7-rc1.orig/init/Kconfig 2004-05-23 07:54:30.000000000 +0200 +++ linux-2.6.7-rc1/init/Kconfig 2004-05-25 14:33:59.434324936 +0200 @@ -230,6 +230,7 @@ config KALLSYMS bool "Load all symbols for debugging/kksymoops" if EMBEDDED default y + depends on !GRKERNSEC_HIDESYM help Say Y here to let the kernel print out symbolic crash information and symbolic stack backtraces. This increases the size of the kernel diff -uNr linux-2.6.7-rc1.orig/init/main.c linux-2.6.7-rc1/init/main.c --- linux-2.6.7-rc1.orig/init/main.c 2004-05-23 07:53:46.000000000 +0200 +++ linux-2.6.7-rc1/init/main.c 2004-05-25 14:33:59.440324024 +0200 @@ -91,6 +91,7 @@ extern void populate_rootfs(void); extern void driver_init(void); extern void prepare_namespace(void); +extern void grsecurity_init(void); #ifdef CONFIG_TC extern void tc_init(void); @@ -638,6 +639,7 @@ else prepare_namespace(); + grsecurity_init(); /* * Ok, we have completed the initial bootup, and * we're essentially up and running. Get rid of the diff -uNr linux-2.6.7-rc1.orig/ipc/msg.c linux-2.6.7-rc1/ipc/msg.c --- linux-2.6.7-rc1.orig/ipc/msg.c 2004-05-23 07:53:30.000000000 +0200 +++ linux-2.6.7-rc1/ipc/msg.c 2004-05-25 14:33:59.445323264 +0200 @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include "util.h" @@ -226,6 +227,9 @@ msg_unlock(msq); } up(&msg_ids.sem); + + gr_log_msgget(ret, msgflg); + return ret; } @@ -475,6 +479,8 @@ break; } case IPC_RMID: + gr_log_msgrm(ipcp->uid, ipcp->cuid); + freeque (msq, msqid); break; } diff -uNr linux-2.6.7-rc1.orig/ipc/sem.c linux-2.6.7-rc1/ipc/sem.c --- linux-2.6.7-rc1.orig/ipc/sem.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/ipc/sem.c 2004-05-25 14:33:59.448322808 +0200 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include "util.h" @@ -238,6 +239,9 @@ } up(&sem_ids.sem); + + gr_log_semget(err, semflg); + return err; } @@ -804,6 +808,8 @@ switch(cmd){ case IPC_RMID: + gr_log_semrm(ipcp->uid, ipcp->cuid); + freeary(sma, semid); err = 0; break; diff -uNr linux-2.6.7-rc1.orig/ipc/shm.c linux-2.6.7-rc1/ipc/shm.c --- linux-2.6.7-rc1.orig/ipc/shm.c 2004-05-23 07:54:17.000000000 +0200 +++ linux-2.6.7-rc1/ipc/shm.c 2004-05-25 14:33:59.460320984 +0200 @@ -26,6 +26,7 @@ #include #include #include +#include #include #include "util.h" @@ -50,6 +51,14 @@ static int sysvipc_shm_read_proc(char *buffer, char **start, off_t offset, int length, int *eof, void *data); #endif +#ifdef CONFIG_GRKERNSEC +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, + const int shmid); +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime); +#endif + size_t shm_ctlmax = SHMMAX; size_t shm_ctlall = SHMALL; int shm_ctlmni = SHMMNI; @@ -217,6 +226,9 @@ shp->shm_lprid = 0; shp->shm_atim = shp->shm_dtim = 0; shp->shm_ctim = get_seconds(); +#ifdef CONFIG_GRKERNSEC + shp->shm_createtime = get_seconds(); +#endif shp->shm_segsz = size; shp->shm_nattch = 0; shp->id = shm_buildid(id,shp->shm_perm.seq); @@ -271,6 +283,8 @@ } up(&shm_ids.sem); + gr_log_shmget(err, shmflg, size); + return err; } @@ -569,6 +583,8 @@ if (err) goto out_unlock_up; + gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid); + if (shp->shm_nattch){ shp->shm_flags |= SHM_DEST; /* Do not find it any more */ @@ -707,9 +723,27 @@ return err; } +#ifdef CONFIG_GRKERNSEC + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime, + shp->shm_perm.cuid, shmid)) { + shm_unlock(shp); + return -EACCES; + } + + if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) { + shm_unlock(shp); + return -EACCES; + } +#endif + file = shp->shm_file; size = i_size_read(file->f_dentry->d_inode); shp->shm_nattch++; + +#ifdef CONFIG_GRKERNSEC + shp->shm_lapid = current->pid; +#endif + shm_unlock(shp); down_write(¤t->mm->mmap_sem); diff -uNr linux-2.6.7-rc1.orig/kernel/capability.c linux-2.6.7-rc1/kernel/capability.c --- linux-2.6.7-rc1.orig/kernel/capability.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/kernel/capability.c 2004-05-25 14:33:59.462320680 +0200 @@ -10,6 +10,7 @@ #include #include #include +#include #include unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */ @@ -168,6 +169,11 @@ } else target = current; + if (gr_handle_chroot_capset(target)) { + ret = -ESRCH; + goto out; + } + ret = -EPERM; if (security_capset_check(target, &effective, &inheritable, &permitted)) diff -uNr linux-2.6.7-rc1.orig/kernel/configs.c linux-2.6.7-rc1/kernel/configs.c --- linux-2.6.7-rc1.orig/kernel/configs.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/kernel/configs.c 2004-05-25 14:33:59.465320224 +0200 @@ -78,8 +78,16 @@ struct proc_dir_entry *entry; /* create the current config file */ +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root); +#endif +#else entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO, &proc_root); +#endif if (!entry) return -ENOMEM; diff -uNr linux-2.6.7-rc1.orig/kernel/exit.c linux-2.6.7-rc1/kernel/exit.c --- linux-2.6.7-rc1.orig/kernel/exit.c 2004-05-23 07:54:43.000000000 +0200 +++ linux-2.6.7-rc1/kernel/exit.c 2004-05-25 14:33:59.468319768 +0200 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -233,6 +234,13 @@ { write_lock_irq(&tasklist_lock); +#ifdef CONFIG_GRKERNSEC + if (current->exec_file) { + fput(current->exec_file); + current->exec_file = NULL; + } +#endif + ptrace_unlink(current); /* Reparent to init */ REMOVE_LINKS(current); @@ -240,6 +248,8 @@ current->real_parent = child_reaper; SET_LINKS(current); + gr_set_kernel_label(current); + /* Set the exit signal to SIGCHLD so we signal init on exit */ current->exit_signal = SIGCHLD; @@ -334,6 +344,15 @@ vsnprintf(current->comm, sizeof(current->comm), name, args); va_end(args); +#ifdef CONFIG_GRKERNSEC + if (current->exec_file) { + fput(current->exec_file); + current->exec_file = NULL; + } +#endif + + gr_set_kernel_label(current); + /* * If we were started as result of loading a module, close all of the * user space pages. We don't need them, and if we didn't close them @@ -785,6 +804,11 @@ } acct_process(code); + + gr_acl_handle_psacct(tsk, code); + gr_acl_handle_exit(); + gr_del_task_from_ip_table(tsk); + __exit_mm(tsk); exit_sem(tsk); diff -uNr linux-2.6.7-rc1.orig/kernel/fork.c linux-2.6.7-rc1/kernel/fork.c --- linux-2.6.7-rc1.orig/kernel/fork.c 2004-05-25 14:25:38.000000000 +0200 +++ linux-2.6.7-rc1/kernel/fork.c 2004-05-25 14:33:59.472319160 +0200 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include @@ -279,7 +280,7 @@ mm->locked_vm = 0; mm->mmap = NULL; mm->mmap_cache = NULL; - mm->free_area_cache = TASK_UNMAPPED_BASE; + mm->free_area_cache = oldmm->free_area_cache; mm->map_count = 0; mm->rss = 0; cpus_clear(mm->cpu_vm_mask); @@ -901,6 +902,9 @@ goto fork_out; retval = -EAGAIN; + + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0); + if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && @@ -997,6 +1001,8 @@ if (retval) goto bad_fork_cleanup_namespace; + gr_copy_label(p); + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; /* * Clear TID on mm_release()? @@ -1138,6 +1144,9 @@ free_uid(p->user); bad_fork_free: free_task(p); + + gr_log_forkfail(retval); + goto fork_out; } diff -uNr linux-2.6.7-rc1.orig/kernel/kallsyms.c linux-2.6.7-rc1/kernel/kallsyms.c --- linux-2.6.7-rc1.orig/kernel/kallsyms.c 2004-05-23 07:55:01.000000000 +0200 +++ linux-2.6.7-rc1/kernel/kallsyms.c 2004-05-25 14:33:59.474318856 +0200 @@ -313,7 +313,15 @@ { struct proc_dir_entry *entry; +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL); +#endif +#else entry = create_proc_entry("kallsyms", 0444, NULL); +#endif if (entry) entry->proc_fops = &kallsyms_operations; return 0; diff -uNr linux-2.6.7-rc1.orig/kernel/pid.c linux-2.6.7-rc1/kernel/pid.c --- linux-2.6.7-rc1.orig/kernel/pid.c 2004-05-23 07:54:20.000000000 +0200 +++ linux-2.6.7-rc1/kernel/pid.c 2004-05-25 14:33:59.477318400 +0200 @@ -25,6 +25,7 @@ #include #include #include +#include #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift) static struct list_head *pid_hash[PIDTYPE_MAX]; @@ -99,10 +100,12 @@ int alloc_pidmap(void) { - int pid, offset, max_steps = PIDMAP_ENTRIES + 1; + int pid = 0, offset, max_steps = PIDMAP_ENTRIES + 1; pidmap_t *map; - pid = last_pid + 1; + pid = gr_random_pid(); + if (!pid) + pid = last_pid + 1; if (pid >= pid_max) pid = RESERVED_PIDS; @@ -225,10 +228,16 @@ task_t *find_task_by_pid(int nr) { struct pid *pid = find_pid(PIDTYPE_PID, nr); + struct task_struct *task = NULL; if (!pid) return NULL; - return pid_task(pid->task_list.next, PIDTYPE_PID); + task = pid_task(pid->task_list.next, PIDTYPE_PID); + + if (gr_pid_is_chrooted(task)) + return NULL; + + return task; } EXPORT_SYMBOL(find_task_by_pid); diff -uNr linux-2.6.7-rc1.orig/kernel/printk.c linux-2.6.7-rc1/kernel/printk.c --- linux-2.6.7-rc1.orig/kernel/printk.c 2004-05-23 07:55:02.000000000 +0200 +++ linux-2.6.7-rc1/kernel/printk.c 2004-05-25 14:33:59.481317792 +0200 @@ -30,6 +30,7 @@ #include #include #include +#include #include @@ -249,6 +250,11 @@ char c; int error = 0; +#ifdef CONFIG_GRKERNSEC_DMESG + if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg) + return -EPERM; +#endif + error = security_syslog(type); if (error) return error; diff -uNr linux-2.6.7-rc1.orig/kernel/resource.c linux-2.6.7-rc1/kernel/resource.c --- linux-2.6.7-rc1.orig/kernel/resource.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/kernel/resource.c 2004-05-25 14:33:59.483317488 +0200 @@ -134,10 +134,27 @@ { struct proc_dir_entry *entry; +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("ioports", S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL); +#endif +#else entry = create_proc_entry("ioports", 0, NULL); +#endif if (entry) entry->proc_fops = &proc_ioports_operations; + +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("iomem", S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL); +#endif +#else entry = create_proc_entry("iomem", 0, NULL); +#endif if (entry) entry->proc_fops = &proc_iomem_operations; return 0; diff -uNr linux-2.6.7-rc1.orig/kernel/sched.c linux-2.6.7-rc1/kernel/sched.c --- linux-2.6.7-rc1.orig/kernel/sched.c 2004-05-23 07:54:30.000000000 +0200 +++ linux-2.6.7-rc1/kernel/sched.c 2004-05-25 14:33:59.504314296 +0200 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include @@ -2159,6 +2160,8 @@ } #endif +void __sched_text_start(void) {} + /* * schedule() is the main scheduler function. */ @@ -2538,6 +2541,8 @@ EXPORT_SYMBOL(sleep_on_timeout); +void __sched_text_end(void) {} + void set_user_nice(task_t *p, long nice) { unsigned long flags; @@ -2611,6 +2616,8 @@ return -EPERM; if (increment < -40) increment = -40; + if (gr_handle_chroot_nice()) + return -EPERM; } if (increment > 40) increment = 40; @@ -3868,8 +3875,6 @@ int in_sched_functions(unsigned long addr) { - /* Linker adds these: start and end of __sched functions */ - extern char __sched_text_start[], __sched_text_end[]; return addr >= (unsigned long)__sched_text_start && addr < (unsigned long)__sched_text_end; } diff -uNr linux-2.6.7-rc1.orig/kernel/signal.c linux-2.6.7-rc1/kernel/signal.c --- linux-2.6.7-rc1.orig/kernel/signal.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/kernel/signal.c 2004-05-25 14:33:59.518312168 +0200 @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -770,11 +771,13 @@ (((sig) < SIGRTMIN) && sigismember(&(sigptr)->signal, (sig))) -static int +int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { int ret = 0; + gr_log_signal(sig, t); + if (!irqs_disabled()) BUG(); #ifdef CONFIG_SMP @@ -825,6 +828,8 @@ ret = specific_send_sig_info(sig, info, t); spin_unlock_irqrestore(&t->sighand->siglock, flags); + gr_handle_crash(t, sig); + return ret; } @@ -1086,10 +1086,14 @@ success = 0; retval = -ESRCH; - for_each_task_pid(pgrp, PIDTYPE_PGID, p, l, pid) { - int err = group_send_sig_info(sig, info, p); - success |= !err; - retval = err; + if (gr_handle_signal(p,sig)) + retval = -EPERM; + else { + for_each_task_pid(pgrp, PIDTYPE_PGID, p, l, pid) { + int err = group_send_sig_info(sig, info, p); + success |= !err; + retval = err; + } } return success ? 0 : retval; } @@ -1143,8 +1153,12 @@ read_lock(&tasklist_lock); p = find_task_by_pid(pid); error = -ESRCH; - if (p) - error = group_send_sig_info(sig, info, p); + if (p) { + if (gr_handle_signal(p, sig)) + error = -EPERM; + else + error = group_send_sig_info(sig, info, p); + } read_unlock(&tasklist_lock); return error; } @@ -1168,10 +1182,14 @@ read_lock(&tasklist_lock); for_each_process(p) { if (p->pid > 1 && p->tgid != current->tgid) { - int err = group_send_sig_info(sig, info, p); - ++count; - if (err != -EPERM) - retval = err; + if (gr_handle_signal(p, sig)) + retval = -EPERM; + else { + int err = group_send_sig_info(sig, info, p); + ++count; + if (err != -EPERM) + retval = err; + } } } read_unlock(&tasklist_lock); diff -uNr linux-2.6.7-rc1.orig/kernel/sys.c linux-2.6.7-rc1/kernel/sys.c --- linux-2.6.7-rc1.orig/kernel/sys.c 2004-05-23 07:53:34.000000000 +0200 +++ linux-2.6.7-rc1/kernel/sys.c 2004-05-25 14:33:59.529310496 +0200 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -293,6 +294,12 @@ error = -EACCES; goto out; } + + if (gr_handle_chroot_setpriority(p, niceval)) { + error = -ESRCH; + goto out; + } + no_nice = security_task_setnice(p, niceval); if (no_nice) { error = no_nice; @@ -597,6 +604,9 @@ if (rgid != (gid_t) -1 || (egid != (gid_t) -1 && egid != old_rgid)) current->sgid = new_egid; + + gr_set_role_label(current, current->uid, new_rgid); + current->fsgid = new_egid; current->egid = new_egid; current->gid = new_rgid; @@ -624,6 +634,9 @@ current->mm->dumpable=0; wmb(); } + + gr_set_role_label(current, current->uid, gid); + current->gid = current->egid = current->sgid = current->fsgid = gid; } else if ((gid == current->gid) || (gid == current->sgid)) @@ -662,6 +675,9 @@ current->mm->dumpable = 0; wmb(); } + + gr_set_role_label(current, new_ruid, current->gid); + current->uid = new_ruid; return 0; } @@ -762,6 +778,9 @@ } else if ((uid != current->uid) && (uid != new_suid)) return -EPERM; + if (gr_check_crash_uid(uid)) + return -EPERM; + if (old_euid != uid) { current->mm->dumpable = 0; @@ -861,8 +880,10 @@ current->egid = egid; } current->fsgid = current->egid; - if (rgid != (gid_t) -1) + if (rgid != (gid_t) -1) { + gr_set_role_label(current, current->uid, rgid); current->gid = rgid; + } if (sgid != (gid_t) -1) current->sgid = sgid; return 0; diff -uNr linux-2.6.7-rc1.orig/kernel/sysctl.c linux-2.6.7-rc1/kernel/sysctl.c --- linux-2.6.7-rc1.orig/kernel/sysctl.c 2004-05-25 14:25:41.000000000 +0200 +++ linux-2.6.7-rc1/kernel/sysctl.c 2004-05-25 14:33:59.538309128 +0200 @@ -46,6 +46,14 @@ #endif #if defined(CONFIG_SYSCTL) +#include +#include + +extern __u32 gr_handle_sysctl(const ctl_table *table, const void *oldval, + const void *newval); +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, + const int op); +extern int gr_handle_chroot_sysctl(const int op); /* External variables not in a header file. */ extern int panic_timeout; @@ -145,6 +153,7 @@ #ifdef CONFIG_UNIX98_PTYS extern ctl_table pty_table[]; #endif +extern ctl_table grsecurity_table[]; /* /proc declarations: */ @@ -639,6 +648,14 @@ .mode = 0444, .proc_handler = &proc_dointvec, }, +#ifdef CONFIG_GRKERNSEC_SYSCTL + { + .ctl_name = KERN_GRSECURITY, + .procname = "grsecurity", + .mode = 0500, + .child = grsecurity_table, + }, +#endif { .ctl_name = 0 } }; @@ -1000,6 +1017,10 @@ static inline int ctl_perm(ctl_table *table, int op) { int error; + if (table->de && gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op)) + return -EACCES; + if (gr_handle_chroot_sysctl(op)) + return -EACCES; error = security_sysctl(table, op); if (error) return error; @@ -1036,6 +1057,10 @@ table = table->child; goto repeat; } + + if (!gr_handle_sysctl(table, oldval, newval)) + return -EACCES; + error = do_sysctl_strategy(table, name, nlen, oldval, oldlenp, newval, newlen, context); diff -uNr linux-2.6.7-rc1.orig/kernel/time.c linux-2.6.7-rc1/kernel/time.c --- linux-2.6.7-rc1.orig/kernel/time.c 2004-05-23 07:53:46.000000000 +0200 +++ linux-2.6.7-rc1/kernel/time.c 2004-05-25 14:33:59.550307304 +0200 @@ -28,6 +28,7 @@ #include #include #include +#include #include #include @@ -82,6 +83,9 @@ tv.tv_nsec = 0; do_settimeofday(&tv); + + gr_log_timechange(); + return 0; } @@ -183,6 +187,8 @@ return -EFAULT; } + gr_log_timechange(); + return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL); } diff -uNr linux-2.6.7-rc1.orig/kernel/timer.c linux-2.6.7-rc1/kernel/timer.c --- linux-2.6.7-rc1.orig/kernel/timer.c 2004-05-23 07:54:42.000000000 +0200 +++ linux-2.6.7-rc1/kernel/timer.c 2004-05-25 14:33:59.555306544 +0200 @@ -31,6 +31,7 @@ #include #include #include +#include #include #include @@ -792,6 +793,9 @@ psecs = (p->utime += user); psecs += (p->stime += system); + + gr_learn_resource(p, RLIMIT_CPU, psecs / HZ, 1); + if (psecs / HZ > p->rlim[RLIMIT_CPU].rlim_cur) { /* Send SIGXCPU every second.. */ if (!(psecs % HZ)) diff -uNr linux-2.6.7-rc1.orig/mm/filemap.c linux-2.6.7-rc1/mm/filemap.c --- linux-2.6.7-rc1.orig/mm/filemap.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/mm/filemap.c 2004-05-25 14:33:59.561305632 +0200 @@ -27,6 +27,8 @@ #include #include #include +#include + /* * This is needed for the following functions: * - try_to_release_page @@ -1721,6 +1723,7 @@ *pos = i_size_read(inode); if (limit != RLIM_INFINITY) { + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0); if (*pos >= limit) { send_sig(SIGXFSZ, current, 0); return -EFBIG; diff -uNr linux-2.6.7-rc1.orig/mm/memory.c linux-2.6.7-rc1/mm/memory.c --- linux-2.6.7-rc1.orig/mm/memory.c 2004-05-23 07:54:09.000000000 +0200 +++ linux-2.6.7-rc1/mm/memory.c 2004-05-25 14:33:59.568304568 +0200 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -1220,6 +1221,7 @@ do_expand: limit = current->rlim[RLIMIT_FSIZE].rlim_cur; + gr_learn_resource(current, RLIMIT_FSIZE, offset, 1); if (limit != RLIM_INFINITY && offset > limit) goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff -uNr linux-2.6.7-rc1.orig/mm/mlock.c linux-2.6.7-rc1/mm/mlock.c --- linux-2.6.7-rc1.orig/mm/mlock.c 2004-05-23 07:53:32.000000000 +0200 +++ linux-2.6.7-rc1/mm/mlock.c 2004-05-25 14:33:59.574303656 +0200 @@ -8,6 +8,7 @@ #include #include +#include static int mlock_fixup(struct vm_area_struct * vma, unsigned long start, unsigned long end, unsigned int newflags) @@ -68,6 +69,9 @@ return -EINVAL; if (end == start) return 0; + if (end > TASK_SIZE) + return -EINVAL; + vma = find_vma(current->mm, start); if (!vma || vma->vm_start > start) return -ENOMEM; @@ -118,6 +122,7 @@ lock_limit >>= PAGE_SHIFT; /* check against resource limits */ + gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1); if (locked <= lock_limit) error = do_mlock(start, len, 1); up_write(¤t->mm->mmap_sem); @@ -154,6 +159,9 @@ for (vma = current->mm->mmap; vma ; vma = vma->vm_next) { unsigned int newflags; + if (vma->vm_end > TASK_SIZE) + break; + newflags = vma->vm_flags | VM_LOCKED; if (!(flags & MCL_CURRENT)) newflags &= ~VM_LOCKED; @@ -177,6 +185,7 @@ lock_limit >>= PAGE_SHIFT; ret = -ENOMEM; + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1); if (current->mm->total_vm <= lock_limit) ret = do_mlockall(flags); out: diff -uNr linux-2.6.7-rc1.orig/mm/mmap.c linux-2.6.7-rc1/mm/mmap.c --- linux-2.6.7-rc2/mm/mmap.c.orig 2004-06-02 23:45:34.377812528 +0200 +++ linux-2.6.7-rc2/mm/mmap.c 2004-06-02 23:54:52.740928432 +0200 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -137,6 +138,7 @@ /* Check against rlimit.. */ rlim = current->rlim[RLIMIT_DATA].rlim_cur; + gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1); if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim) goto out; @@ -781,6 +786,7 @@ if (vm_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; locked += len; + gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1); if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur) return -EAGAIN; } @@ -839,6 +845,9 @@ if (error) return error; + if (!gr_acl_handle_mmap(file, prot)) + return -EACCES; + /* Clear old maps */ error = -ENOMEM; munmap_back: @@ -850,6 +859,7 @@ } /* Check against address space limit. */ + gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len, 1); if ((mm->total_vm << PAGE_SHIFT) + len > current->rlim[RLIMIT_AS].rlim_cur) return -ENOMEM; @@ -1197,9 +1210,17 @@ return -ENOMEM; } + gr_learn_resource(current, RLIMIT_STACK, address - vma->vm_start, 1); + gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT, 1); + if (vma->vm_flags & VM_LOCKED) + gr_learn_resource(current, RLIMIT_MEMLOCK, (vma->vm_mm->locked_vm + grow) << PAGE_SHIFT, 1); + if (address - vma->vm_start > current->rlim[RLIMIT_STACK].rlim_cur || ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > - current->rlim[RLIMIT_AS].rlim_cur) { + current->rlim[RLIMIT_AS].rlim_cur || + ((vma->vm_flags & VM_LOCKED) && + ((vma->vm_mm->locked_vm + grow) << PAGE_SHIFT) > + current->rlim[RLIMIT_MEMLOCK].rlim_cur)) { anon_vma_unlock(vma); vm_unacct_memory(grow); return -ENOMEM; @@ -1258,9 +1279,17 @@ return -ENOMEM; } + gr_learn_resource(current, RLIMIT_STACK, vma->vm_end - address, 1); + gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT, 1); + if (vma->vm_flags & VM_LOCKED) + gr_learn_resource(current, RLIMIT_MEMLOCK, (vma->vm_mm->locked_vm + grow) << PAGE_SHIFT, 1); + if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur || ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > - current->rlim[RLIMIT_AS].rlim_cur) { + current->rlim[RLIMIT_AS].rlim_cur || + ((vma->vm_flags & VM_LOCKED) && + ((vma->vm_mm->locked_vm + grow) << PAGE_SHIFT) > + current->rlim[RLIMIT_MEMLOCK].rlim_cur)) { anon_vma_unlock(vma); vm_unacct_memory(grow); return -ENOMEM; @@ -1623,6 +1655,7 @@ if (mm->def_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; locked += len; + gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1); if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur) return -EAGAIN; } @@ -1639,6 +1672,7 @@ } /* Check against address space limits *after* clearing old maps... */ + gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len, 1); if ((mm->total_vm << PAGE_SHIFT) + len > current->rlim[RLIMIT_AS].rlim_cur) return -ENOMEM; diff -uNr linux-2.6.7-rc1.orig/mm/mprotect.c linux-2.6.7-rc1/mm/mprotect.c --- linux-2.6.7-rc1.orig/mm/mprotect.c 2004-05-23 07:55:03.000000000 +0200 +++ linux-2.6.7-rc1/mm/mprotect.c 2004-05-25 14:33:59.581302592 +0200 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -202,6 +203,10 @@ end = start + len; if (end < start) return -ENOMEM; + + if (end > TASK_SIZE) + return -EINVAL; + if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM)) return -EINVAL; if (end == start) @@ -236,6 +241,11 @@ if (start > vma->vm_start) prev = vma; + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) { + error = -EACCES; + goto out; + } + for (nstart = start ; ; ) { unsigned int newflags; diff -uNr linux-2.6.7-rc1.orig/mm/mremap.c linux-2.6.7-rc1/mm/mremap.c --- linux-2.6.7-rc1.orig/mm/mremap.c 2004-05-23 07:54:19.000000000 +0200 +++ linux-2.6.7-rc1/mm/mremap.c 2004-05-25 14:33:59.584302136 +0200 @@ -267,6 +267,10 @@ if (!new_len) goto out; + if (new_len > TASK_SIZE || addr > TASK_SIZE-new_len || + old_len > TASK_SIZE || addr > TASK_SIZE-old_len) + goto out; + /* new_addr is only valid if MREMAP_FIXED is specified */ if (flags & MREMAP_FIXED) { if (new_addr & ~PAGE_MASK) diff -uNr linux-2.6.7-rc1.orig/net/ipv4/af_inet.c linux-2.6.7-rc1/net/ipv4/af_inet.c --- linux-2.6.7-rc1.orig/net/ipv4/af_inet.c 2004-05-23 07:53:35.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/af_inet.c 2004-05-25 14:33:59.595300464 +0200 @@ -87,6 +87,7 @@ #include #include #include +#include #include #include @@ -387,7 +388,12 @@ else inet->pmtudisc = IP_PMTUDISC_WANT; - inet->id = 0; +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + inet->id = htons(ip_randomid()); + else +#endif + inet->id = 0; sock_init_data(sock, sk); sk_set_owner(sk, THIS_MODULE); diff -uNr linux-2.6.7-rc1.orig/net/ipv4/ip_output.c linux-2.6.7-rc1/net/ipv4/ip_output.c --- linux-2.6.7-rc1.orig/net/ipv4/ip_output.c 2004-05-25 14:25:40.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/ip_output.c 2004-05-25 14:33:59.600299704 +0200 @@ -64,6 +64,7 @@ #include #include #include +#include #include #include @@ -1180,6 +1181,12 @@ iph->tos = inet->tos; iph->tot_len = htons(skb->len); iph->frag_off = df; + +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + iph->id = htons(ip_randomid()); + else +#endif if (!df) { __ip_select_ident(iph, &rt->u.dst, 0); } else { diff -uNr linux-2.6.7-rc1.orig/net/ipv4/netfilter/ipt_stealth.c linux-2.6.7-rc1/net/ipv4/netfilter/ipt_stealth.c --- linux-2.6.7-rc1.orig/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.7-rc1/net/ipv4/netfilter/ipt_stealth.c 2004-05-25 14:33:59.610298184 +0200 @@ -0,0 +1,112 @@ +/* Kernel module to add stealth support. + * + * Copyright (C) 2002 Brad Spengler + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +MODULE_LICENSE("GPL"); + +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); + +static int +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + int *hotdrop) +{ + struct iphdr *ip = skb->nh.iph; + struct tcphdr th; + struct udphdr uh; + struct sock *sk = NULL; + + if (!ip || offset) return 0; + + switch(ip->protocol) { + case IPPROTO_TCP: + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &th, sizeof(th)) < 0) { + *hotdrop = 1; + return 0; + } + if (!(th.syn && !th.ack)) return 0; + sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th.dest), ((struct rtable*)skb->dst)->rt_iif); + break; + case IPPROTO_UDP: + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &uh, sizeof(uh)) < 0) { + *hotdrop = 1; + return 0; + } + sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex); + break; + default: + return 0; + } + + if(!sk) // port is being listened on, match this + return 1; + else { + sock_put(sk); + return 0; + } +} + +/* Called when user tries to insert an entry of this type. */ +static int +checkentry(const char *tablename, + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) +{ + if (matchsize != IPT_ALIGN(0)) + return 0; + + if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) || + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO))) + && (hook_mask & (1 << NF_IP_LOCAL_IN))) + return 1; + + printk("stealth: Only works on TCP and UDP for the INPUT chain.\n"); + + return 0; +} + + +static struct ipt_match stealth_match = { + .name = "stealth", + .match = &match, + .checkentry = &checkentry, + .destroy = NULL, + .me = THIS_MODULE +}; + +static int __init init(void) +{ + return ipt_register_match(&stealth_match); +} + +static void __exit fini(void) +{ + ipt_unregister_match(&stealth_match); +} + +module_init(init); +module_exit(fini); diff -uNr linux-2.6.7-rc1.orig/net/ipv4/netfilter/Kconfig linux-2.6.7-rc1/net/ipv4/netfilter/Kconfig --- linux-2.6.7-rc1.orig/net/ipv4/netfilter/Kconfig 2004-05-25 14:25:41.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/netfilter/Kconfig 2004-05-25 14:33:59.604299096 +0200 @@ -241,6 +241,21 @@ To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_STEALTH + tristate "stealth match support" + depends on IP_NF_IPTABLES + help + Enabling this option will drop all syn packets coming to unserved tcp + ports as well as all packets coming to unserved udp ports. If you + are using your system to route any type of packets (ie. via NAT) + you should put this module at the end of your ruleset, since it will + drop packets that aren't going to ports that are listening on your + machine itself, it doesn't take into account that the packet might be + destined for someone on your internal network if you're using NAT for + instance. + + To compile it as a module, choose M here. If unsure, say N. + config IP_NF_MATCH_HELPER tristate "Helper match support" depends on IP_NF_CONNTRACK && IP_NF_IPTABLES diff -uNr linux-2.6.7-rc1.orig/net/ipv4/netfilter/Makefile linux-2.6.7-rc1/net/ipv4/netfilter/Makefile --- linux-2.6.7-rc1.orig/net/ipv4/netfilter/Makefile 2004-05-25 14:25:41.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/netfilter/Makefile 2004-05-25 14:33:59.608298488 +0200 @@ -140,6 +140,8 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o + obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o diff -uNr linux-2.6.7-rc1.orig/net/ipv4/tcp_ipv4.c linux-2.6.7-rc1/net/ipv4/tcp_ipv4.c --- linux-2.6.7-rc1.orig/net/ipv4/tcp_ipv4.c 2004-05-25 14:25:40.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/tcp_ipv4.c 2004-05-25 14:33:59.615297424 +0200 @@ -62,6 +62,7 @@ #include #include #include +#include #include #include @@ -224,9 +225,16 @@ spin_lock(&tcp_portalloc_lock); rover = tcp_port_rover; do { - rover++; - if (rover < low || rover > high) - rover = low; +#ifdef CONFIG_GRKERNSEC_RANDSRC + if (grsec_enable_randsrc && (high > low)) { + rover = low + (get_random_long() % (high - low)); + } else +#endif + { + rover++; + if (rover < low || rover > high) + rover = low; + } head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); tb_for_each(tb, node, &head->chain) @@ -537,6 +545,11 @@ static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb) { +#ifdef CONFIG_GRKERNSEC_RANDISN + if (likely(grsec_enable_randisn)) + return ip_randomisn(); + else +#endif return secure_tcp_sequence_number(skb->nh.iph->daddr, skb->nh.iph->saddr, skb->h.th->dest, @@ -671,10 +684,17 @@ rover = tcp_port_rover; do { - rover++; - if ((rover < low) || (rover > high)) - rover = low; - head = &tcp_bhash[tcp_bhashfn(rover)]; +#ifdef CONFIG_GRKERNSEC_RANDSRC + if (grsec_enable_randsrc && (high > low)) { + rover = low + (get_random_long() % (high - low)); + } else +#endif + { + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } + head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); /* Does not bother with rcv_saddr checks, @@ -724,6 +744,15 @@ } spin_unlock(&head->lock); +#ifdef CONFIG_GRKERNSEC + gr_del_task_from_ip_table(current); + current->gr_saddr = inet_sk(sk)->rcv_saddr; + current->gr_daddr = inet_sk(sk)->daddr; + current->gr_sport = inet_sk(sk)->sport; + current->gr_dport = inet_sk(sk)->dport; + gr_add_to_task_ip_table(current); +#endif + if (tw) { tcp_tw_deschedule(tw); tcp_tw_put(tw); @@ -843,13 +872,24 @@ tcp_v4_setup_caps(sk, &rt->u.dst); tp->ext2_header_len = rt->u.dst.header_len; - if (!tp->write_seq) + if (!tp->write_seq) { +#ifdef CONFIG_GRKERNSEC_RANDISN + if (likely(grsec_enable_randisn)) + tp->write_seq = ip_randomisn(); + else +#endif tp->write_seq = secure_tcp_sequence_number(inet->saddr, inet->daddr, inet->sport, usin->sin_port); + } - inet->id = tp->write_seq ^ jiffies; +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + inet->id = htons(ip_randomid()); + else +#endif + inet->id = tp->write_seq ^ jiffies; err = tcp_connect(sk); rt = NULL; @@ -1593,7 +1633,13 @@ if (newinet->opt) newtp->ext_header_len = newinet->opt->optlen; newtp->ext2_header_len = dst->header_len; - newinet->id = newtp->write_seq ^ jiffies; + +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + newinet->id = htons(ip_randomid()); + else +#endif + newinet->id = newtp->write_seq ^ jiffies; tcp_sync_mss(newsk, dst_pmtu(dst)); newtp->advmss = dst_metric(dst, RTAX_ADVMSS); diff -uNr linux-2.6.7-rc1.orig/net/ipv4/udp.c linux-2.6.7-rc1/net/ipv4/udp.c --- linux-2.6.7-rc1.orig/net/ipv4/udp.c 2004-05-25 14:25:40.000000000 +0200 +++ linux-2.6.7-rc1/net/ipv4/udp.c 2004-05-25 14:33:59.619296816 +0200 @@ -100,6 +100,7 @@ #include #include #include +#include #include #include #include @@ -108,6 +109,12 @@ #include #include +extern int gr_search_udp_recvmsg(const struct sock *sk, + const struct sk_buff *skb); +extern int gr_search_udp_sendmsg(const struct sock *sk, + const struct sockaddr_in *addr); + + /* * Snmp MIB for the UDP layer */ @@ -538,9 +545,16 @@ dport = usin->sin_port; if (dport == 0) return -EINVAL; + + if (!gr_search_udp_sendmsg(sk, usin)) + return -EPERM; } else { if (sk->sk_state != TCP_ESTABLISHED) return -EDESTADDRREQ; + + if (!gr_search_udp_sendmsg(sk, NULL)) + return -EPERM; + daddr = inet->daddr; dport = inet->dport; /* Open fast path for connected socket. @@ -792,7 +806,12 @@ if (!skb) goto out; - copied = skb->len - sizeof(struct udphdr); + if (!gr_search_udp_recvmsg(sk, skb)) { + err = -EPERM; + goto out_free; + } + + copied = skb->len - sizeof(struct udphdr); if (copied > len) { copied = len; msg->msg_flags |= MSG_TRUNC; @@ -901,7 +920,12 @@ inet->daddr = rt->rt_dst; inet->dport = usin->sin_port; sk->sk_state = TCP_ESTABLISHED; - inet->id = jiffies; +#ifdef CONFIG_GRKERNSEC_RANDID + if (grsec_enable_randid) + inet->id = htons(ip_randomid()); + else +#endif + inet->id = jiffies; sk_dst_set(sk, &rt->u.dst); return(0); diff -uNr linux-2.6.7-rc1.orig/net/socket.c linux-2.6.7-rc1/net/socket.c --- linux-2.6.7-rc1.orig/net/socket.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/net/socket.c 2004-05-25 14:33:59.634294536 +0200 @@ -81,6 +81,7 @@ #include #include #include +#include #ifdef CONFIG_NET_RADIO #include /* Note : will define WIRELESS_EXT */ @@ -94,6 +95,18 @@ #include #include +extern void gr_attach_curr_ip(const struct sock *sk); +extern int gr_handle_sock_all(const int family, const int type, + const int protocol); +extern int gr_handle_sock_server(const struct sockaddr *sck); +extern int gr_handle_sock_client(const struct sockaddr *sck); +extern int gr_search_connect(const struct socket * sock, + const struct sockaddr_in * addr); +extern int gr_search_bind(const struct socket * sock, + const struct sockaddr_in * addr); +extern int gr_search_socket(const int domain, const int type, + const int protocol); + static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf, size_t size, loff_t pos); @@ -897,6 +910,7 @@ printk(KERN_DEBUG "sock_close: NULL inode\n"); return 0; } + sock_fasync(-1, filp, 0); sock_release(SOCKET_I(inode)); return 0; @@ -1126,6 +1140,16 @@ int retval; struct socket *sock; + if(!gr_search_socket(family, type, protocol)) { + retval = -EACCES; + goto out; + } + + if (gr_handle_sock_all(family, type, protocol)) { + retval = -EACCES; + goto out; + } + retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; @@ -1221,11 +1245,23 @@ { struct socket *sock; char address[MAX_SOCK_ADDR]; + struct sockaddr *sck; int err; if((sock = sockfd_lookup(fd,&err))!=NULL) { if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) { + sck = (struct sockaddr *)address; + if (!gr_search_bind(sock, (struct sockaddr_in *)sck)) { + sockfd_put(sock); + return -EACCES; + } + + if (gr_handle_sock_server(sck)) { + sockfd_put(sock); + return -EACCES; + } + err = security_socket_bind(sock, (struct sockaddr *)address, addrlen); if (err) { sockfd_put(sock); @@ -1328,6 +1364,7 @@ goto out_release; security_socket_post_accept(sock, newsock); + gr_attach_curr_ip(newsock->sk); out_put: sockfd_put(sock); @@ -1355,6 +1392,7 @@ { struct socket *sock; char address[MAX_SOCK_ADDR]; + struct sockaddr *sck; int err; sock = sockfd_lookup(fd, &err); @@ -1364,6 +1402,18 @@ if (err < 0) goto out_put; + sck = (struct sockaddr *)address; + + if (!gr_search_connect(sock, (struct sockaddr_in *)sck)) { + err = -EACCES; + goto out_put; + } + + if (gr_handle_sock_client(sck)) { + err = -EACCES; + goto out_put; + } + err = security_socket_connect(sock, (struct sockaddr *)address, addrlen); if (err) goto out_put; @@ -1617,6 +1667,7 @@ err=sock->ops->shutdown(sock, how); sockfd_put(sock); } + return err; } diff -uNr linux-2.6.7-rc1.orig/net/sunrpc/xprt.c linux-2.6.7-rc1/net/sunrpc/xprt.c --- linux-2.6.7-rc1.orig/net/sunrpc/xprt.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/net/sunrpc/xprt.c 2004-05-25 14:33:59.644293016 +0200 @@ -58,6 +58,7 @@ #include #include #include +#include #include #include @@ -1337,6 +1338,12 @@ */ static inline u32 xprt_alloc_xid(struct rpc_xprt *xprt) { + +#ifdef CONFIG_GRKERNSEC_RANDRPC + if (grsec_enable_randrpc) + return (u32) get_random_long(); +#endif + return xprt->xid++; } diff -uNr linux-2.6.7-rc1.orig/net/unix/af_unix.c linux-2.6.7-rc1/net/unix/af_unix.c --- linux-2.6.7-rc1.orig/net/unix/af_unix.c 2004-05-23 07:54:22.000000000 +0200 +++ linux-2.6.7-rc1/net/unix/af_unix.c 2004-05-25 14:33:59.653291648 +0200 @@ -118,6 +118,7 @@ #include #include #include +#include int sysctl_unix_max_dgram_qlen = 10; @@ -681,6 +682,11 @@ if (err) goto put_fail; + if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) { + err = -EACCES; + goto put_fail; + } + err = -ECONNREFUSED; if (!S_ISSOCK(nd.dentry->d_inode->i_mode)) goto put_fail; @@ -704,6 +710,13 @@ if (u) { struct dentry *dentry; dentry = unix_sk(u)->dentry; + + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) { + err = -EPERM; + sock_put(u); + goto fail; + } + if (dentry) touch_atime(unix_sk(u)->mnt, dentry); } else @@ -803,9 +816,18 @@ */ mode = S_IFSOCK | (SOCK_INODE(sock)->i_mode & ~current->fs->umask); + + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) { + err = -EACCES; + goto out_mknod_dput; + } + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); if (err) goto out_mknod_dput; + + gr_handle_create(dentry, nd.mnt); + up(&nd.dentry->d_inode->i_sem); dput(nd.dentry); nd.dentry = dentry; @@ -823,6 +845,10 @@ goto out_unlock; } +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + sk->sk_peercred.pid = current->pid; +#endif + list = &unix_socket_table[addr->hash]; } else { list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)]; diff -uNr linux-2.6.7-rc1.orig/security/Kconfig linux-2.6.7-rc1/security/Kconfig --- linux-2.6.7-rc1.orig/security/Kconfig 2004-05-23 07:54:23.000000000 +0200 +++ linux-2.6.7-rc1/security/Kconfig 2004-05-26 01:02:26.341672392 +0200 @@ -2,6 +2,8 @@ # Security configuration # +source grsecurity/Kconfig + menu "Security options" config SECURITY diff -uNr linux-2.6.7-rc1.orig/security/commoncap.c linux-2.6.7-rc1/security/commoncap.c --- linux-2.6.7-rc1.orig/security/commoncap.c 2004-05-23 07:53:57.000000000 +0200 +++ linux-2.6.7-rc1/security/commoncap.c 2004-05-25 14:33:59.657291040 +0200 @@ -27,7 +27,7 @@ int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ - if (cap_raised (tsk->cap_effective, cap)) + if (cap_raised (tsk->cap_effective, cap) && gr_task_is_capable(tsk, cap)) return 0; else return -EPERM; @@ -37,7 +37,7 @@ { /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ if (!cap_issubset (child->cap_permitted, current->cap_permitted) && - !capable (CAP_SYS_PTRACE)) + !capable_nolog (CAP_SYS_PTRACE)) return -EPERM; else return 0; @@ -334,7 +334,7 @@ /* * Leave the last 3% for root */ - if (!capable(CAP_SYS_ADMIN)) + if (!capable_nolog(CAP_SYS_ADMIN)) free -= free / 32; if (free > pages) @@ -345,7 +345,7 @@ * only call if we're about to fail. */ n = nr_free_pages(); - if (!capable(CAP_SYS_ADMIN)) + if (!capable_nolog(CAP_SYS_ADMIN)) n -= n / 32; free += n; diff -uNr linux-2.6.7-rc1.orig/security/security.c linux-2.6.7-rc1/security/security.c --- linux-2.6.7-rc1.orig/security/security.c 2004-05-23 07:53:30.000000000 +0200 +++ linux-2.6.7-rc1/security/security.c 2004-05-25 14:33:59.659290736 +0200 @@ -206,4 +206,5 @@ EXPORT_SYMBOL_GPL(mod_reg_security); EXPORT_SYMBOL_GPL(mod_unreg_security); EXPORT_SYMBOL(capable); +EXPORT_SYMBOL(capable_nolog); EXPORT_SYMBOL(security_ops); diff -uNr linux-2.6.7-rc1.orig/Makefile linux-2.6.7-rc1/Makefile --- linux-2.6.7-rc1.orig/Makefile 2004-05-26 00:38:42.000000000 +0200 +++ linux-2.6.7-rc1/Makefile 2004-05-26 01:23:28.424806592 +0200 @@ -484,7 +484,7 @@ ifeq ($(KBUILD_EXTMOD),) -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ grsecurity/ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ --- linux-2.6.7/arch/sparc/Makefile.orig 2004-07-07 19:23:23.000000000 +0000 +++ linux-2.6.7/arch/sparc/Makefile 2004-07-07 22:31:14.000000000 +0000 @@ -34,7 +34,7 @@ # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-) INIT_Y := $(patsubst %/, %/built-in.o, $(init-y)) CORE_Y := $(core-y) -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ grsecurity/ CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y)) DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y)) NET_Y := $(patsubst %/, %/built-in.o, $(net-y))