]>
Commit | Line | Data |
---|---|---|
85213f0d KT |
1 | diff -urP linux-2.2.20-ow1/Documentation/Configure.help linux-2.2.20-hap-2/Documentation/Configure.help |
2 | --- linux-2.2.20-ow1/Documentation/Configure.help Sat Nov 3 13:14:57 2001 | |
3 | +++ linux-2.2.20-hap-2/Documentation/Configure.help Fri Nov 9 19:16:17 2001 | |
4 | @@ -15291,6 +15291,17 @@ | |
5 | same as that of the directory or the FIFO is opened without the | |
6 | O_CREAT flag. | |
7 | ||
8 | +Allow links/pipes in non-world-writable +t dirs | |
9 | +CONFIG_SECURE_NOTSOMUCH | |
10 | + This makes the checks that CONFIG_SECURE_LINK and CONFIG_SECURE_PIPE | |
11 | + perform a little less restrictive. Namely, links/pipes will work | |
12 | + again in +t directories if the directory is not world-writable. Most | |
13 | + sticky directories (such as /tmp) *are* world-writable, but you may | |
14 | + have other +t directories which are not (to make safe group-writable | |
15 | + shared upload directories, for instance). Say Y only if you have had | |
16 | + problems using the CONFIG_SECURE_LINK or CONFIG_SECURE_PIPE options | |
17 | + and you think you need this. | |
18 | + | |
19 | Restricted /proc | |
20 | CONFIG_SECURE_PROC | |
21 | This option restricts the permissions on directories in /proc so | |
22 | @@ -15302,6 +15313,13 @@ | |
23 | disables dmesg(8) for the users. You might want to use this on an ISP | |
24 | shell server where privacy is an issue. | |
25 | ||
26 | +Unofficial bugfixes | |
27 | +CONFIG_SECURE_BUGFIX | |
28 | + Currently this fixes the following bug: | |
29 | + * stracing an unreadable binary (ie mode 111). Note that there | |
30 | + are still ways to get around this at least on x86. | |
31 | + Say Y here unless you know you shouldn't. | |
32 | + | |
33 | Special handling of fd 0, 1, and 2 | |
34 | CONFIG_SECURE_FD_0_1_2 | |
35 | File descriptors 0, 1, and 2 have a special meaning for the C library | |
36 | @@ -15343,6 +15361,102 @@ | |
37 | Note that this feature will do you no good unless you also configure | |
38 | your resource limits (in particular, RLIMIT_AS and RLIMIT_NPROC). Most | |
39 | systems don't need this. | |
40 | + | |
41 | +Extra logging of unusual events | |
42 | +CONFIG_SECURE_LOGGING | |
43 | + This turns on some extra kernel logging. Right now this includes: | |
44 | + * some extra verbosity in the network layer (reporting about arp cache | |
45 | + changes, and complaining if someone tries to route through us and | |
46 | + we're not a router) | |
47 | + * also causes some packets that used to be dropped silently to get | |
48 | + whined about | |
49 | + * logs of who/what/when the system time changes | |
50 | + * logs when/why forks fail | |
51 | + * logs certain "lethal" signals: SIGSEGV, SIGBUS, SIGABRT, SIGILL | |
52 | + This is of limited use, and has some extra overhead, but isn't likely | |
53 | + to cause any problems. | |
54 | + | |
55 | +Paranoid networking | |
56 | +CONFIG_SECURE_NETWORK | |
57 | + This turns on some extra paranoia in tcp and udp net code. | |
58 | + Currently it does (or tries to): | |
59 | + * warns on packets to unserved UDP ports | |
60 | + * warns on packets to unserved TCP ports | |
61 | + * optionally, denies such packets (CONFIG_SECURE_NET_SBD) | |
62 | + * warns & denies TCP packets with invalid combinations of flags | |
63 | + * adds extra info to all IPFW log lines: | |
64 | + * length of TCP & data / UDP as well as IP length | |
65 | + * print TCP ACK and SEQ numbers in addition to IP ids | |
66 | + * prints all TCP flags set (Syn, Ack, Fin, Urg, etc) | |
67 | + It also hopefully banishes a longstanding bug with IPFW/IPchains | |
68 | + log printing when under heavy IO, where different printk'ed lines | |
69 | + step on each other/get truncated, etc. | |
70 | + Say Y unless you think it's breaking stuff (or you don't want the | |
71 | + log volume, which will be high on a busy server). | |
72 | + | |
73 | +Blackhole networking | |
74 | +CONFIG_SECURE_NET_SBD | |
75 | + When CONFIG_SECURE_NETWORK is enabled, this disables the usual | |
76 | + behavior of responding to unsolicited/"unserved" TCP packets with | |
77 | + a TCP RST, and to unserved UDP packets with an ICMP port-unreach. | |
78 | + Note that the UDP behavior is superfluous (can be easily done with | |
79 | + ipchains rules) but there's no convenient, desirable way to block | |
80 | + the RSTs other than this. This is recommended for personal systems | |
81 | + and low-volume servers. However, it is rude and breaks RFCs, so | |
82 | + it should be left off (the default behavior) for most systems, | |
83 | + unless you are *really* paranoid. | |
84 | + | |
85 | +Restricted chroot | |
86 | +CONFIG_SECURE_CHROOT | |
87 | + This causes chroot processes to be a bit more restricted. Processes | |
88 | + which are already in a chroot(2)ed jail now cannot: | |
89 | + * chroot(2) again | |
90 | + * mknod(2) a character or block device | |
91 | + * mount(2) new/remounted filesystems | |
92 | + * ptrace(2) processes outside their jail | |
93 | + * kill(2) processes outside their jail (except sending SIGCHLD to parent) | |
94 | + These are a _few_ of the ways that a root-priv'ed process can break | |
95 | + out of a chrooted jail. They are not all of them. Basically, if | |
96 | + someone has root in a chrooted jail, no can defend -- they've got you. | |
97 | + But, this may help you detect the most common things such an intruder | |
98 | + would do. The only way to win is not to play, however -- don't let | |
99 | + anything in a chrooted jail get root! Simple, right? ;) | |
100 | + This may break systems that use initrd, as that implies an original | |
101 | + chroot. Or not -- the "is this process chrooted" test compares the | |
102 | + root of the current process to that of init; this may not break under | |
103 | + initrd (I have no initrd'd boxes on which to test). | |
104 | + | |
105 | +Restricted ptrace | |
106 | +CONFIG_SECURE_TRACE | |
107 | + When enabled this disables system call tracing (ptrace) entirely for | |
108 | + non-root users. It also prevents tracing syscalls the kernel itself | |
109 | + makes, which can confuse some programs such as strace. When this | |
110 | + option is set, CONFIG_SECURE_TRACE_USERGROUP can be used to enable | |
111 | + ptrace/strace for only certain users. | |
112 | + This option will also cause the logging of any *allowed* ptrace calls. | |
113 | + | |
114 | +Restricted ptrace usergroup | |
115 | +CONFIG_SECURE_TRACE_USERGROUP | |
116 | + Use this option to allow tracing by a special group (defaults to 0). | |
117 | + Users in this group (or processes with this group as egid) can use | |
118 | + the ptrace system call--but only against their own processes, unless | |
119 | + they are root. The allowed group can be changed at runtime when | |
120 | + CONFIG_SECURE_SYSCTL is enabled, by | |
121 | + echo XX > /proc/sys/kernel/security/trace_gid | |
122 | + For a number of boring reasons, the recommended way to use this is to | |
123 | + create a dedicated 'ptrace' group, put only trusted users in it, and | |
124 | + chgrp ptrace /usr/bin/strace; chmod 2110 /usr/bin/strace | |
125 | + (And do the same for other ptrace-using apps they need to run.) | |
126 | + | |
127 | +Security Sysctl | |
128 | +CONFIG_SECURE_SYSCTL | |
129 | + If you say Y here, you will be able to change security options that | |
130 | + without having to recompile your kernel. You can echo values to | |
131 | + files in /proc/sys/kernel/security to enable (1) or disable (0) various | |
132 | + features or change runtime configurables like the ptrace-allow group. | |
133 | + All features are enabled by default (and default to root-only). | |
134 | + Please note that this option could reduce the effectiveness of the | |
135 | + added security policy. | |
136 | ||
137 | # | |
138 | # A couple of things I keep forgetting: | |
85213f0d KT |
139 | diff -urP linux-2.2.20-ow1/arch/alpha/defconfig linux-2.2.20-hap-2/arch/alpha/defconfig |
140 | --- linux-2.2.20-ow1/arch/alpha/defconfig Sat Nov 3 13:14:57 2001 | |
141 | +++ linux-2.2.20-hap-2/arch/alpha/defconfig Fri Nov 9 19:16:17 2001 | |
142 | @@ -333,10 +333,15 @@ | |
143 | # | |
144 | CONFIG_SECURE_LINK=y | |
145 | CONFIG_SECURE_FIFO=y | |
146 | -# CONFIG_SECURE_PROC is not set | |
147 | +CONFIG_SECURE_NOTSOMUCH=y | |
148 | +CONFIG_SECURE_PROC=y | |
149 | CONFIG_SECURE_FD_0_1_2=y | |
150 | CONFIG_SECURE_RLIMIT_NPROC=y | |
151 | # CONFIG_SECURE_SHM is not set | |
152 | +CONFIG_SECURE_LOGGING=y | |
153 | +CONFIG_SECURE_NETWORK=y | |
154 | +# CONFIG_SECURE_NET_SBD is not set | |
155 | +CONFIG_SECURE_CHROOT=y | |
156 | ||
157 | # | |
158 | # Kernel hacking | |
159 | diff -urP linux-2.2.20-ow1/arch/alpha/kernel/ptrace.c linux-2.2.20-hap-2/arch/alpha/kernel/ptrace.c | |
160 | --- linux-2.2.20-ow1/arch/alpha/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
161 | +++ linux-2.2.20-hap-2/arch/alpha/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
162 | @@ -517,6 +517,9 @@ | |
163 | sys_ptrace(long request, long pid, long addr, long data, | |
164 | int a4, int a5, struct pt_regs regs) | |
165 | { | |
166 | +#ifdef CONFIG_SECURE_TRACE | |
167 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
168 | +#endif | |
169 | struct task_struct *child; | |
170 | unsigned long tmp; | |
171 | long ret; | |
172 | @@ -555,6 +558,54 @@ | |
173 | /* the same process cannot be attached many times */ | |
174 | if (child->ptrace & PT_PTRACED) | |
175 | goto out; | |
176 | +#ifdef CONFIG_SECURE_CHROOT | |
177 | + if (!(hap_same_root_as_init(current)) && | |
178 | + !(hap_same_root(current, child)) ) { | |
179 | + /* | |
180 | + * This process is chrooted; don't let it ptrace | |
181 | + * any process not in the same jail with it | |
182 | + */ | |
183 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
184 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
185 | + "ptraces from a chrooted process", | |
186 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
187 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
188 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
189 | + current->p_pptr->uid, current->p_pptr->euid ); | |
190 | + goto out; | |
191 | + } | |
192 | +#endif | |
193 | +#ifdef CONFIG_SECURE_TRACE | |
194 | + if (sysctl_security_trace && current->uid | |
195 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
196 | + && current->egid != sysctl_security_trace_gid | |
197 | +#endif | |
198 | + ) { | |
199 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
200 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
201 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
202 | + "ptrace attempts", | |
203 | + child->comm, child->pid, current->comm, | |
204 | + current->pid, current->uid, | |
205 | + current->euid, current->gid, | |
206 | + current->egid, current->p_pptr->comm, | |
207 | + current->p_pptr->pid, current->p_pptr->uid, | |
208 | + current->p_pptr->euid, current->p_pptr->gid, | |
209 | + current->p_pptr->egid ); | |
210 | + goto out; | |
211 | + } | |
212 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
213 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
214 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
215 | + "ptraces", | |
216 | + child->comm, child->pid, current->comm, | |
217 | + current->pid, current->uid, | |
218 | + current->euid, current->gid, | |
219 | + current->egid, current->p_pptr->comm, | |
220 | + current->p_pptr->pid, current->p_pptr->uid, | |
221 | + current->p_pptr->euid, current->p_pptr->gid, | |
222 | + current->p_pptr->egid ); | |
223 | +#endif | |
224 | child->ptrace |= PT_PTRACED; | |
225 | if (child->p_pptr != current) { | |
226 | REMOVE_LINKS(child); | |
227 | @@ -684,11 +735,18 @@ | |
228 | } | |
229 | ||
230 | asmlinkage void | |
231 | -syscall_trace(void) | |
232 | +syscall_trace(int unused) | |
233 | { | |
234 | +#ifdef CONFIG_SECURE_TRACE | |
235 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
236 | +#endif | |
237 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
238 | != (PT_PTRACED|PT_TRACESYS)) | |
239 | return; | |
240 | +#ifdef CONFIG_SECURE_TRACE | |
241 | + if (!user_mode(regs)) | |
242 | + return; /* Don't trace the kernel's syscalls */ | |
243 | +#endif | |
244 | current->exit_code = SIGTRAP; | |
245 | current->state = TASK_STOPPED; | |
246 | notify_parent(current, SIGCHLD); | |
247 | diff -urP linux-2.2.20-ow1/arch/arm/defconfig linux-2.2.20-hap-2/arch/arm/defconfig | |
248 | --- linux-2.2.20-ow1/arch/arm/defconfig Sat Nov 3 13:14:57 2001 | |
249 | +++ linux-2.2.20-hap-2/arch/arm/defconfig Fri Nov 9 19:16:17 2001 | |
250 | @@ -488,10 +488,16 @@ | |
251 | # | |
252 | CONFIG_SECURE_LINK=y | |
253 | CONFIG_SECURE_FIFO=y | |
254 | -# CONFIG_SECURE_PROC is not set | |
255 | +CONFIG_SECURE_NOTSOMUCH=y | |
256 | +CONFIG_SECURE_PROC=y | |
257 | CONFIG_SECURE_FD_0_1_2=y | |
258 | CONFIG_SECURE_RLIMIT_NPROC=y | |
259 | # CONFIG_SECURE_SHM is not set | |
260 | +CONFIG_SECURE_BUGFIX=y | |
261 | +CONFIG_SECURE_LOGGING=y | |
262 | +CONFIG_SECURE_NETWORK=y | |
263 | +# CONFIG_SECURE_NET_SBD is not set | |
264 | +CONFIG_SECURE_CHROOT=y | |
265 | ||
266 | # | |
267 | # Kernel hacking | |
268 | diff -urP linux-2.2.20-ow1/arch/arm/kernel/ptrace.c linux-2.2.20-hap-2/arch/arm/kernel/ptrace.c | |
269 | --- linux-2.2.20-ow1/arch/arm/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
270 | +++ linux-2.2.20-hap-2/arch/arm/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
271 | @@ -792,6 +792,9 @@ | |
272 | ||
273 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
274 | { | |
275 | +#ifdef CONFIG_SECURE_TRACE | |
276 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
277 | +#endif | |
278 | struct task_struct *child; | |
279 | int ret; | |
280 | ||
281 | @@ -828,6 +831,54 @@ | |
282 | /* the same process cannot be attached many times */ | |
283 | if (child->ptrace & PT_PTRACED) | |
284 | goto out; | |
285 | +#ifdef CONFIG_SECURE_CHROOT | |
286 | + if (!(hap_same_root_as_init(current)) && | |
287 | + !(hap_same_root(current, child)) ) { | |
288 | + /* | |
289 | + * This process is chrooted; don't let it ptrace | |
290 | + * any process not in the same jail with it | |
291 | + */ | |
292 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
293 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
294 | + "ptraces from a chrooted process", | |
295 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
296 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
297 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
298 | + current->p_pptr->uid, current->p_pptr->euid ); | |
299 | + goto out; | |
300 | + } | |
301 | +#endif | |
302 | +#ifdef CONFIG_SECURE_TRACE | |
303 | + if (sysctl_security_trace && current->uid | |
304 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
305 | + && current->egid != sysctl_security_trace_gid | |
306 | +#endif | |
307 | + ) { | |
308 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
309 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
310 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
311 | + "ptrace attempts", | |
312 | + child->comm, child->pid, current->comm, | |
313 | + current->pid, current->uid, | |
314 | + current->euid, current->gid, | |
315 | + current->egid, current->p_pptr->comm, | |
316 | + current->p_pptr->pid, current->p_pptr->uid, | |
317 | + current->p_pptr->euid, current->p_pptr->gid, | |
318 | + current->p_pptr->egid ); | |
319 | + goto out; | |
320 | + } | |
321 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
322 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
323 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
324 | + "ptraces", | |
325 | + child->comm, child->pid, current->comm, | |
326 | + current->pid, current->uid, | |
327 | + current->euid, current->gid, | |
328 | + current->egid, current->p_pptr->comm, | |
329 | + current->p_pptr->pid, current->p_pptr->uid, | |
330 | + current->p_pptr->euid, current->p_pptr->gid, | |
331 | + current->p_pptr->egid ); | |
332 | +#endif | |
333 | child->ptrace |= PT_PTRACED; | |
334 | ||
335 | if (child->p_pptr != current) { | |
336 | @@ -855,12 +906,19 @@ | |
337 | return ret; | |
338 | } | |
339 | ||
340 | -asmlinkage void syscall_trace(void) | |
341 | +asmlinkage void syscall_trace(int unused) | |
342 | { | |
343 | +#ifdef CONFIG_SECURE_TRACE | |
344 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
345 | +#endif | |
346 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
347 | != (PT_PTRACED|PT_TRACESYS)) | |
348 | return; | |
349 | current->exit_code = SIGTRAP; | |
350 | +#ifdef CONFIG_SECURE_TRACE | |
351 | + if (!user_mode(regs)) | |
352 | + return; /* Don't trace the kernel's syscalls */ | |
353 | +#endif | |
354 | current->state = TASK_STOPPED; | |
355 | notify_parent(current, SIGCHLD); | |
356 | schedule(); | |
357 | diff -urP linux-2.2.20-ow1/arch/i386/defconfig linux-2.2.20-hap-2/arch/i386/defconfig | |
358 | --- linux-2.2.20-ow1/arch/i386/defconfig Sat Nov 3 13:14:57 2001 | |
359 | +++ linux-2.2.20-hap-2/arch/i386/defconfig Fri Nov 9 19:16:17 2001 | |
360 | @@ -427,11 +427,17 @@ | |
361 | CONFIG_SECURE_STACK_SMART=y | |
362 | CONFIG_SECURE_LINK=y | |
363 | CONFIG_SECURE_FIFO=y | |
364 | -# CONFIG_SECURE_PROC is not set | |
365 | +CONFIG_SECURE_NOTSOMUCH=y | |
366 | +CONFIG_SECURE_PROC=y | |
367 | CONFIG_SECURE_FD_0_1_2=y | |
368 | CONFIG_SECURE_RLIMIT_NPROC=y | |
369 | # CONFIG_SECURE_SHM is not set | |
370 | - | |
371 | +CONFIG_SECURE_BUGFIX=y | |
372 | +CONFIG_SECURE_LOGGING=y | |
373 | +CONFIG_SECURE_NETWORK=y | |
374 | +# CONFIG_SECURE_NET_SBD is not set | |
375 | +CONFIG_SECURE_CHROOT=y | |
376 | +CONFIG_SECURE_TRACE=y | |
377 | # | |
378 | # Kernel hacking | |
379 | # | |
380 | diff -urP linux-2.2.20-ow1/arch/i386/kernel/ptrace.c linux-2.2.20-hap-2/arch/i386/kernel/ptrace.c | |
381 | --- linux-2.2.20-ow1/arch/i386/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
382 | +++ linux-2.2.20-hap-2/arch/i386/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
383 | @@ -385,6 +385,9 @@ | |
384 | ||
385 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
386 | { | |
387 | +#ifdef CONFIG_SECURE_TRACE | |
388 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
389 | +#endif | |
390 | struct task_struct *child; | |
391 | struct user * dummy = NULL; | |
392 | unsigned long flags; | |
393 | @@ -425,6 +428,54 @@ | |
394 | /* the same process cannot be attached many times */ | |
395 | if (child->ptrace & PT_PTRACED) | |
396 | goto out; | |
397 | +#ifdef CONFIG_SECURE_CHROOT | |
398 | + if (!(hap_same_root_as_init(current)) && | |
399 | + !(hap_same_root(current, child)) ) { | |
400 | + /* | |
401 | + * This process is chrooted; don't let it ptrace | |
402 | + * any process not in the same jail with it | |
403 | + */ | |
404 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
405 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
406 | + "ptraces from a chrooted process", | |
407 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
408 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
409 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
410 | + current->p_pptr->uid, current->p_pptr->euid ); | |
411 | + goto out; | |
412 | + } | |
413 | +#endif | |
414 | +#ifdef CONFIG_SECURE_TRACE | |
415 | + if (sysctl_security_trace && current->uid | |
416 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
417 | + && current->egid != sysctl_security_trace_gid | |
418 | +#endif | |
419 | + ) { | |
420 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
421 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
422 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
423 | + "ptrace attempts", | |
424 | + child->comm, child->pid, current->comm, | |
425 | + current->pid, current->uid, | |
426 | + current->euid, current->gid, | |
427 | + current->egid, current->p_pptr->comm, | |
428 | + current->p_pptr->pid, current->p_pptr->uid, | |
429 | + current->p_pptr->euid, current->p_pptr->gid, | |
430 | + current->p_pptr->egid ); | |
431 | + goto out; | |
432 | + } | |
433 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
434 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
435 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
436 | + "ptraces", | |
437 | + child->comm, child->pid, current->comm, | |
438 | + current->pid, current->uid, | |
439 | + current->euid, current->gid, | |
440 | + current->egid, current->p_pptr->comm, | |
441 | + current->p_pptr->pid, current->p_pptr->uid, | |
442 | + current->p_pptr->euid, current->p_pptr->gid, | |
443 | + current->p_pptr->egid ); | |
444 | +#endif | |
445 | child->ptrace |= PT_PTRACED; | |
446 | ||
447 | write_lock_irqsave(&tasklist_lock, flags); | |
448 | @@ -708,11 +759,18 @@ | |
449 | return ret; | |
450 | } | |
451 | ||
452 | -asmlinkage void syscall_trace(void) | |
453 | +asmlinkage void syscall_trace(int unused) | |
454 | { | |
455 | +#ifdef CONFIG_SECURE_TRACE | |
456 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
457 | +#endif | |
458 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
459 | != (PT_PTRACED|PT_TRACESYS)) | |
460 | return; | |
461 | +#ifdef CONFIG_SECURE_TRACE | |
462 | + if (!user_mode(regs)) | |
463 | + return; /* Don't trace the kernel's syscalls */ | |
464 | +#endif | |
465 | current->exit_code = SIGTRAP; | |
466 | current->state = TASK_STOPPED; | |
467 | notify_parent(current, SIGCHLD); | |
468 | diff -urP linux-2.2.20-ow1/arch/i386/kernel/traps.c linux-2.2.20-hap-2/arch/i386/kernel/traps.c | |
469 | --- linux-2.2.20-ow1/arch/i386/kernel/traps.c Sat Nov 3 13:14:57 2001 | |
470 | +++ linux-2.2.20-hap-2/arch/i386/kernel/traps.c Fri Nov 9 19:16:17 2001 | |
471 | @@ -401,11 +401,13 @@ | |
472 | */ | |
473 | if ((addr & 0xFF800000) == 0xBF800000 || | |
474 | (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)) | |
475 | - security_alert("return onto stack running as " | |
476 | - "UID %d, EUID %d, process %s:%d", | |
477 | + security_alert("return onto stack by %s[%d], UID %d, " | |
478 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
479 | "returns onto stack", | |
480 | - current->uid, current->euid, | |
481 | - current->comm, current->pid); | |
482 | + current->comm, current->pid, current->uid, | |
483 | + current->euid, current->p_pptr->comm, | |
484 | + current->p_pptr->pid, current->p_pptr->uid, | |
485 | + current->p_pptr->euid); | |
486 | } | |
487 | ||
488 | #ifdef CONFIG_SECURE_STACK_SMART | |
489 | diff -urP linux-2.2.20-ow1/arch/m68k/defconfig linux-2.2.20-hap-2/arch/m68k/defconfig | |
490 | --- linux-2.2.20-ow1/arch/m68k/defconfig Sat Nov 3 13:14:57 2001 | |
491 | +++ linux-2.2.20-hap-2/arch/m68k/defconfig Fri Nov 9 19:16:17 2001 | |
492 | @@ -243,10 +243,15 @@ | |
493 | # | |
494 | CONFIG_SECURE_LINK=y | |
495 | CONFIG_SECURE_FIFO=y | |
496 | -# CONFIG_SECURE_PROC is not set | |
497 | +CONFIG_SECURE_NOTSOMUCH=y | |
498 | +CONFIG_SECURE_PROC=y | |
499 | CONFIG_SECURE_FD_0_1_2=y | |
500 | CONFIG_SECURE_RLIMIT_NPROC=y | |
501 | # CONFIG_SECURE_SHM is not set | |
502 | +CONFIG_SECURE_LOGGING=y | |
503 | +CONFIG_SECURE_NETWORK=y | |
504 | +# CONFIG_SECURE_NET_SBD is not set | |
505 | +CONFIG_SECURE_CHROOT=y | |
506 | ||
507 | # | |
508 | # Kernel hacking | |
509 | diff -urP linux-2.2.20-ow1/arch/m68k/kernel/ptrace.c linux-2.2.20-hap-2/arch/m68k/kernel/ptrace.c | |
510 | --- linux-2.2.20-ow1/arch/m68k/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
511 | +++ linux-2.2.20-hap-2/arch/m68k/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
512 | @@ -312,6 +312,9 @@ | |
513 | ||
514 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
515 | { | |
516 | +#ifdef CONFIG_SECURE_TRACE | |
517 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
518 | +#endif | |
519 | struct task_struct *child; | |
520 | unsigned long flags; | |
521 | int ret; | |
522 | @@ -351,6 +354,54 @@ | |
523 | /* the same process cannot be attached many times */ | |
524 | if (child->ptrace & PT_PTRACED) | |
525 | goto out; | |
526 | +#ifdef CONFIG_SECURE_CHROOT | |
527 | + if (!(hap_same_root_as_init(current)) && | |
528 | + !(hap_same_root(current, child)) ) { | |
529 | + /* | |
530 | + * This process is chrooted; don't let it ptrace | |
531 | + * any process not in the same jail with it | |
532 | + */ | |
533 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
534 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
535 | + "ptraces from a chrooted process", | |
536 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
537 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
538 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
539 | + current->p_pptr->uid, current->p_pptr->euid ); | |
540 | + goto out; | |
541 | + } | |
542 | +#endif | |
543 | +#ifdef CONFIG_SECURE_TRACE | |
544 | + if (sysctl_security_trace && current->uid | |
545 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
546 | + && current->egid != sysctl_security_trace_gid | |
547 | +#endif | |
548 | + ) { | |
549 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
550 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
551 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
552 | + "ptrace attempts", | |
553 | + child->comm, child->pid, current->comm, | |
554 | + current->pid, current->uid, | |
555 | + current->euid, current->gid, | |
556 | + current->egid, current->p_pptr->comm, | |
557 | + current->p_pptr->pid, current->p_pptr->uid, | |
558 | + current->p_pptr->euid, current->p_pptr->gid, | |
559 | + current->p_pptr->egid ); | |
560 | + goto out; | |
561 | + } | |
562 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
563 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
564 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
565 | + "ptraces", | |
566 | + child->comm, child->pid, current->comm, | |
567 | + current->pid, current->uid, | |
568 | + current->euid, current->gid, | |
569 | + current->egid, current->p_pptr->comm, | |
570 | + current->p_pptr->pid, current->p_pptr->uid, | |
571 | + current->p_pptr->euid, current->p_pptr->gid, | |
572 | + current->p_pptr->egid ); | |
573 | +#endif | |
574 | child->ptrace |= PT_PTRACED; | |
575 | ||
576 | write_lock_irqsave(&tasklist_lock, flags); | |
577 | @@ -604,13 +655,20 @@ | |
578 | return ret; | |
579 | } | |
580 | ||
581 | -asmlinkage void syscall_trace(void) | |
582 | +asmlinkage void syscall_trace(int unused) | |
583 | { | |
584 | +#ifdef CONFIG_SECURE_TRACE | |
585 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
586 | +#endif | |
587 | lock_kernel(); | |
588 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
589 | != (PT_PTRACED|PT_TRACESYS)) | |
590 | goto out; | |
591 | current->exit_code = SIGTRAP; | |
592 | +#ifdef CONFIG_SECURE_TRACE | |
593 | + if (!user_mode(regs)) | |
594 | + return; /* Don't trace the kernel's syscalls */ | |
595 | +#endif | |
596 | current->state = TASK_STOPPED; | |
597 | notify_parent(current, SIGCHLD); | |
598 | schedule(); | |
599 | diff -urP linux-2.2.20-ow1/arch/mips/defconfig linux-2.2.20-hap-2/arch/mips/defconfig | |
600 | --- linux-2.2.20-ow1/arch/mips/defconfig Sat Nov 3 13:14:57 2001 | |
601 | +++ linux-2.2.20-hap-2/arch/mips/defconfig Fri Nov 9 19:16:17 2001 | |
602 | @@ -369,10 +369,15 @@ | |
603 | # | |
604 | CONFIG_SECURE_LINK=y | |
605 | CONFIG_SECURE_FIFO=y | |
606 | -# CONFIG_SECURE_PROC is not set | |
607 | +CONFIG_SECURE_NOTSOMUCH=y | |
608 | +CONFIG_SECURE_PROC=y | |
609 | CONFIG_SECURE_FD_0_1_2=y | |
610 | CONFIG_SECURE_RLIMIT_NPROC=y | |
611 | # CONFIG_SECURE_SHM is not set | |
612 | +CONFIG_SECURE_LOGGING=y | |
613 | +CONFIG_SECURE_NETWORK=y | |
614 | +# CONFIG_SECURE_NET_SBD is not set | |
615 | +CONFIG_SECURE_CHROOT=y | |
616 | ||
617 | # | |
618 | # Kernel hacking | |
619 | diff -urP linux-2.2.20-ow1/arch/mips/kernel/ptrace.c linux-2.2.20-hap-2/arch/mips/kernel/ptrace.c | |
620 | --- linux-2.2.20-ow1/arch/mips/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
621 | +++ linux-2.2.20-hap-2/arch/mips/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
622 | @@ -258,6 +258,9 @@ | |
623 | ||
624 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
625 | { | |
626 | +#ifdef CONFIG_SECURE_TRACE | |
627 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
628 | +#endif | |
629 | struct task_struct *child; | |
630 | unsigned int flags; | |
631 | int res; | |
632 | @@ -308,6 +311,54 @@ | |
633 | /* the same process cannot be attached many times */ | |
634 | if (child->ptrace & PT_PTRACED) | |
635 | goto out; | |
636 | +#ifdef CONFIG_SECURE_CHROOT | |
637 | + if (!(hap_same_root_as_init(current)) && | |
638 | + !(hap_same_root(current, child)) ) { | |
639 | + /* | |
640 | + * This process is chrooted; don't let it ptrace | |
641 | + * any process not in the same jail with it | |
642 | + */ | |
643 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
644 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
645 | + "ptraces from a chrooted process", | |
646 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
647 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
648 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
649 | + current->p_pptr->uid, current->p_pptr->euid ); | |
650 | + goto out; | |
651 | + } | |
652 | +#endif | |
653 | +#ifdef CONFIG_SECURE_TRACE | |
654 | + if (sysctl_security_trace && current->uid | |
655 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
656 | + && current->egid != sysctl_security_trace_gid | |
657 | +#endif | |
658 | + ) { | |
659 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
660 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
661 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
662 | + "ptrace attempts", | |
663 | + child->comm, child->pid, current->comm, | |
664 | + current->pid, current->uid, | |
665 | + current->euid, current->gid, | |
666 | + current->egid, current->p_pptr->comm, | |
667 | + current->p_pptr->pid, current->p_pptr->uid, | |
668 | + current->p_pptr->euid, current->p_pptr->gid, | |
669 | + current->p_pptr->egid ); | |
670 | + goto out; | |
671 | + } | |
672 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
673 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
674 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
675 | + "ptraces", | |
676 | + child->comm, child->pid, current->comm, | |
677 | + current->pid, current->uid, | |
678 | + current->euid, current->gid, | |
679 | + current->egid, current->p_pptr->comm, | |
680 | + current->p_pptr->pid, current->p_pptr->uid, | |
681 | + current->p_pptr->euid, current->p_pptr->gid, | |
682 | + current->p_pptr->egid ); | |
683 | +#endif | |
684 | child->ptrace |= PT_PTRACED; | |
685 | ||
686 | write_lock_irqsave(&tasklist_lock, flags); | |
687 | @@ -520,11 +571,18 @@ | |
688 | return res; | |
689 | } | |
690 | ||
691 | -asmlinkage void syscall_trace(void) | |
692 | +asmlinkage void syscall_trace(int unused) | |
693 | { | |
694 | +#ifdef CONFIG_SECURE_TRACE | |
695 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
696 | +#endif | |
697 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
698 | != (PT_PTRACED|PT_TRACESYS)) | |
699 | return; | |
700 | +#ifdef CONFIG_SECURE_TRACE | |
701 | + if (!user_mode(regs)) | |
702 | + return; /* Don't trace the kernel's syscalls */ | |
703 | +#endif | |
704 | current->exit_code = SIGTRAP; | |
705 | current->state = TASK_STOPPED; | |
706 | notify_parent(current, SIGCHLD); | |
707 | diff -urP linux-2.2.20-ow1/arch/ppc/defconfig linux-2.2.20-hap-2/arch/ppc/defconfig | |
708 | --- linux-2.2.20-ow1/arch/ppc/defconfig Sat Nov 3 13:14:57 2001 | |
709 | +++ linux-2.2.20-hap-2/arch/ppc/defconfig Fri Nov 9 19:16:17 2001 | |
710 | @@ -499,10 +499,15 @@ | |
711 | # | |
712 | CONFIG_SECURE_LINK=y | |
713 | CONFIG_SECURE_FIFO=y | |
714 | -# CONFIG_SECURE_PROC is not set | |
715 | +CONFIG_SECURE_NOTSOMUCH=y | |
716 | +CONFIG_SECURE_PROC=y | |
717 | CONFIG_SECURE_FD_0_1_2=y | |
718 | CONFIG_SECURE_RLIMIT_NPROC=y | |
719 | # CONFIG_SECURE_SHM is not set | |
720 | +CONFIG_SECURE_LOGGING=y | |
721 | +CONFIG_SECURE_NETWORK=y | |
722 | +# CONFIG_SECURE_NET_SBD is not set | |
723 | +CONFIG_SECURE_CHROOT=y | |
724 | ||
725 | # | |
726 | # Kernel hacking | |
727 | diff -urP linux-2.2.20-ow1/arch/ppc/kernel/ptrace.c linux-2.2.20-hap-2/arch/ppc/kernel/ptrace.c | |
728 | --- linux-2.2.20-ow1/arch/ppc/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
729 | +++ linux-2.2.20-hap-2/arch/ppc/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
730 | @@ -334,6 +334,9 @@ | |
731 | ||
732 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
733 | { | |
734 | +#ifdef CONFIG_SECURE_TRACE | |
735 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
736 | +#endif | |
737 | struct task_struct *child; | |
738 | int ret = -EPERM; | |
739 | unsigned long flags; | |
740 | @@ -372,6 +375,54 @@ | |
741 | /* the same process cannot be attached many times */ | |
742 | if (child->ptrace & PT_PTRACED) | |
743 | goto out; | |
744 | +#ifdef CONFIG_SECURE_CHROOT | |
745 | + if (!(hap_same_root_as_init(current)) && | |
746 | + !(hap_same_root(current, child)) ) { | |
747 | + /* | |
748 | + * This process is chrooted; don't let it ptrace | |
749 | + * any process not in the same jail with it | |
750 | + */ | |
751 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
752 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
753 | + "ptraces from a chrooted process", | |
754 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
755 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
756 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
757 | + current->p_pptr->uid, current->p_pptr->euid ); | |
758 | + goto out; | |
759 | + } | |
760 | +#endif | |
761 | +#ifdef CONFIG_SECURE_TRACE | |
762 | + if (sysctl_security_trace && current->uid | |
763 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
764 | + && current->egid != sysctl_security_trace_gid | |
765 | +#endif | |
766 | + ) { | |
767 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
768 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
769 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
770 | + "ptrace attempts", | |
771 | + child->comm, child->pid, current->comm, | |
772 | + current->pid, current->uid, | |
773 | + current->euid, current->gid, | |
774 | + current->egid, current->p_pptr->comm, | |
775 | + current->p_pptr->pid, current->p_pptr->uid, | |
776 | + current->p_pptr->euid, current->p_pptr->gid, | |
777 | + current->p_pptr->egid ); | |
778 | + goto out; | |
779 | + } | |
780 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
781 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
782 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
783 | + "ptraces", | |
784 | + child->comm, child->pid, current->comm, | |
785 | + current->pid, current->uid, | |
786 | + current->euid, current->gid, | |
787 | + current->egid, current->p_pptr->comm, | |
788 | + current->p_pptr->pid, current->p_pptr->uid, | |
789 | + current->p_pptr->euid, current->p_pptr->gid, | |
790 | + current->p_pptr->egid ); | |
791 | +#endif | |
792 | child->ptrace |= PT_PTRACED; | |
793 | ||
794 | write_lock_irqsave(&tasklist_lock, flags); | |
795 | @@ -539,11 +590,18 @@ | |
796 | return ret; | |
797 | } | |
798 | ||
799 | -asmlinkage void syscall_trace(void) | |
800 | +asmlinkage void syscall_trace(int unused) | |
801 | { | |
802 | +#ifdef CONFIG_SECURE_TRACE | |
803 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
804 | +#endif | |
805 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
806 | != (PT_PTRACED|PT_TRACESYS)) | |
807 | return; | |
808 | +#ifdef CONFIG_SECURE_TRACE | |
809 | + if (!user_mode(regs)) | |
810 | + return; /* Don't trace the kernel's syscalls */ | |
811 | +#endif | |
812 | current->exit_code = SIGTRAP; | |
813 | current->state = TASK_STOPPED; | |
814 | notify_parent(current, SIGCHLD); | |
815 | diff -urP linux-2.2.20-ow1/arch/s390/defconfig linux-2.2.20-hap-2/arch/s390/defconfig | |
816 | --- linux-2.2.20-ow1/arch/s390/defconfig Sat Nov 3 13:14:57 2001 | |
817 | +++ linux-2.2.20-hap-2/arch/s390/defconfig Fri Nov 9 19:16:17 2001 | |
818 | @@ -194,10 +194,15 @@ | |
819 | # | |
820 | CONFIG_SECURE_LINK=y | |
821 | CONFIG_SECURE_FIFO=y | |
822 | -# CONFIG_SECURE_PROC is not set | |
823 | +CONFIG_SECURE_NOTSOMUCH=y | |
824 | +CONFIG_SECURE_PROC=y | |
825 | CONFIG_SECURE_FD_0_1_2=y | |
826 | CONFIG_SECURE_RLIMIT_NPROC=y | |
827 | # CONFIG_SECURE_SHM is not set | |
828 | +CONFIG_SECURE_LOGGING=y | |
829 | +CONFIG_SECURE_NETWORK=y | |
830 | +# CONFIG_SECURE_NET_SBD is not set | |
831 | +CONFIG_SECURE_CHROOT=y | |
832 | ||
833 | # | |
834 | # Kernel hacking | |
835 | diff -urP linux-2.2.20-ow1/arch/s390/kernel/ptrace.c linux-2.2.20-hap-2/arch/s390/kernel/ptrace.c | |
836 | --- linux-2.2.20-ow1/arch/s390/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
837 | +++ linux-2.2.20-hap-2/arch/s390/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
838 | @@ -427,6 +427,9 @@ | |
839 | ||
840 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
841 | { | |
842 | +#ifdef CONFIG_SECURE_TRACE | |
843 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
844 | +#endif | |
845 | struct task_struct *child; | |
846 | int ret = -EPERM; | |
847 | unsigned long tmp; | |
848 | @@ -461,6 +464,54 @@ | |
849 | /* the same process cannot be attached many times */ | |
850 | if (child->ptrace & PT_PTRACED) | |
851 | goto out; | |
852 | +#ifdef CONFIG_SECURE_CHROOT | |
853 | + if (!(hap_same_root_as_init(current)) && | |
854 | + !(hap_same_root(current, child)) ) { | |
855 | + /* | |
856 | + * This process is chrooted; don't let it ptrace | |
857 | + * any process not in the same jail with it | |
858 | + */ | |
859 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
860 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
861 | + "ptraces from a chrooted process", | |
862 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
863 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
864 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
865 | + current->p_pptr->uid, current->p_pptr->euid ); | |
866 | + goto out; | |
867 | + } | |
868 | +#endif | |
869 | +#ifdef CONFIG_SECURE_TRACE | |
870 | + if (sysctl_security_trace && current->uid | |
871 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
872 | + && current->egid != sysctl_security_trace_gid | |
873 | +#endif | |
874 | + ) { | |
875 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
876 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
877 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
878 | + "ptrace attempts", | |
879 | + child->comm, child->pid, current->comm, | |
880 | + current->pid, current->uid, | |
881 | + current->euid, current->gid, | |
882 | + current->egid, current->p_pptr->comm, | |
883 | + current->p_pptr->pid, current->p_pptr->uid, | |
884 | + current->p_pptr->euid, current->p_pptr->gid, | |
885 | + current->p_pptr->egid ); | |
886 | + goto out; | |
887 | + } | |
888 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
889 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
890 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
891 | + "ptraces", | |
892 | + child->comm, child->pid, current->comm, | |
893 | + current->pid, current->uid, | |
894 | + current->euid, current->gid, | |
895 | + current->egid, current->p_pptr->comm, | |
896 | + current->p_pptr->pid, current->p_pptr->uid, | |
897 | + current->p_pptr->euid, current->p_pptr->gid, | |
898 | + current->p_pptr->egid ); | |
899 | +#endif | |
900 | child->ptrace |= PT_PTRACED; | |
901 | if (child->p_pptr != current) | |
902 | { | |
903 | @@ -590,12 +641,19 @@ | |
904 | return ret; | |
905 | } | |
906 | ||
907 | -asmlinkage void syscall_trace(void) | |
908 | +asmlinkage void syscall_trace(int unused) | |
909 | { | |
910 | +#ifdef CONFIG_SECURE_TRACE | |
911 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
912 | +#endif | |
913 | lock_kernel(); | |
914 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
915 | != (PT_PTRACED|PT_TRACESYS)) | |
916 | goto out; | |
917 | +#ifdef CONFIG_SECURE_TRACE | |
918 | + if (!user_mode(regs)) | |
919 | + return; /* Don't trace the kernel's syscalls */ | |
920 | +#endif | |
921 | current->exit_code = SIGTRAP; | |
922 | current->state = TASK_STOPPED; | |
923 | notify_parent(current, SIGCHLD); | |
924 | diff -urP linux-2.2.20-ow1/arch/sparc/defconfig linux-2.2.20-hap-2/arch/sparc/defconfig | |
925 | --- linux-2.2.20-ow1/arch/sparc/defconfig Sat Nov 3 13:14:57 2001 | |
926 | +++ linux-2.2.20-hap-2/arch/sparc/defconfig Fri Nov 9 19:16:17 2001 | |
927 | @@ -340,10 +340,15 @@ | |
928 | # | |
929 | CONFIG_SECURE_LINK=y | |
930 | CONFIG_SECURE_FIFO=y | |
931 | -# CONFIG_SECURE_PROC is not set | |
932 | +CONFIG_SECURE_NOTSOMUCH=y | |
933 | +CONFIG_SECURE_PROC=y | |
934 | CONFIG_SECURE_FD_0_1_2=y | |
935 | CONFIG_SECURE_RLIMIT_NPROC=y | |
936 | # CONFIG_SECURE_SHM is not set | |
937 | +CONFIG_SECURE_LOGGING=y | |
938 | +CONFIG_SECURE_NETWORK=y | |
939 | +# CONFIG_SECURE_NET_SBD is not set | |
940 | +CONFIG_SECURE_CHROOT=y | |
941 | ||
942 | # | |
943 | # Kernel hacking | |
944 | diff -urP linux-2.2.20-ow1/arch/sparc/kernel/ptrace.c linux-2.2.20-hap-2/arch/sparc/kernel/ptrace.c | |
945 | --- linux-2.2.20-ow1/arch/sparc/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
946 | +++ linux-2.2.20-hap-2/arch/sparc/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
947 | @@ -508,6 +508,9 @@ | |
948 | ||
949 | asmlinkage void do_ptrace(struct pt_regs *regs) | |
950 | { | |
951 | +#ifdef CONFIG_SECURE_TRACE | |
952 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
953 | +#endif | |
954 | unsigned long request = regs->u_regs[UREG_I0]; | |
955 | unsigned long pid = regs->u_regs[UREG_I1]; | |
956 | unsigned long addr = regs->u_regs[UREG_I2]; | |
957 | @@ -582,6 +585,55 @@ | |
958 | pt_error_return(regs, EPERM); | |
959 | goto out; | |
960 | } | |
961 | +#ifdef CONFIG_SECURE_CHROOT | |
962 | + if (!(hap_same_root_as_init(current)) && | |
963 | + !(hap_same_root(current, child)) ) { | |
964 | + /* | |
965 | + * This process is chrooted; don't let it ptrace | |
966 | + * any process not in the same jail with it | |
967 | + */ | |
968 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
969 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
970 | + "ptraces from a chrooted process", | |
971 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
972 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
973 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
974 | + current->p_pptr->uid, current->p_pptr->euid ); | |
975 | + pt_error_return(regs, EPERM); | |
976 | + goto out; | |
977 | + } | |
978 | +#endif | |
979 | +#ifdef CONFIG_SECURE_TRACE | |
980 | + if (sysctl_security_trace && current->uid | |
981 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
982 | + && current->egid != sysctl_security_trace_gid | |
983 | +#endif | |
984 | + ) { | |
985 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
986 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
987 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
988 | + "ptrace attempts", | |
989 | + child->comm, child->pid, current->comm, | |
990 | + current->pid, current->uid, | |
991 | + current->euid, current->gid, | |
992 | + current->egid, current->p_pptr->comm, | |
993 | + current->p_pptr->pid, current->p_pptr->uid, | |
994 | + current->p_pptr->euid, current->p_pptr->gid, | |
995 | + current->p_pptr->egid ); | |
996 | + goto out; | |
997 | + } | |
998 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
999 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1000 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1001 | + "ptraces", | |
1002 | + child->comm, child->pid, current->comm, | |
1003 | + current->pid, current->uid, | |
1004 | + current->euid, current->gid, | |
1005 | + current->egid, current->p_pptr->comm, | |
1006 | + current->p_pptr->pid, current->p_pptr->uid, | |
1007 | + current->p_pptr->euid, current->p_pptr->gid, | |
1008 | + current->p_pptr->egid ); | |
1009 | +#endif | |
1010 | child->ptrace |= PT_PTRACED; | |
1011 | write_lock_irqsave(&tasklist_lock, flags); | |
1012 | if(child->p_pptr != current) { | |
1013 | @@ -922,14 +974,21 @@ | |
1014 | unlock_kernel(); | |
1015 | } | |
1016 | ||
1017 | -asmlinkage void syscall_trace(void) | |
1018 | +asmlinkage void syscall_trace(int unused) | |
1019 | { | |
1020 | +#ifdef CONFIG_SECURE_TRACE | |
1021 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
1022 | +#endif | |
1023 | #ifdef DEBUG_PTRACE | |
1024 | printk("%s [%d]: syscall_trace\n", current->comm, current->pid); | |
1025 | #endif | |
1026 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
1027 | != (PT_PTRACED|PT_TRACESYS)) | |
1028 | return; | |
1029 | +#ifdef CONFIG_SECURE_TRACE | |
1030 | + if (!user_mode(regs)) | |
1031 | + return; /* Don't trace the kernel's syscalls */ | |
1032 | +#endif | |
1033 | current->exit_code = SIGTRAP; | |
1034 | current->state = TASK_STOPPED; | |
1035 | current->tss.flags ^= MAGIC_CONSTANT; | |
1036 | diff -urP linux-2.2.20-ow1/arch/sparc64/defconfig linux-2.2.20-hap-2/arch/sparc64/defconfig | |
1037 | --- linux-2.2.20-ow1/arch/sparc64/defconfig Sat Nov 3 13:14:57 2001 | |
1038 | +++ linux-2.2.20-hap-2/arch/sparc64/defconfig Fri Nov 9 19:16:17 2001 | |
1039 | @@ -391,10 +391,15 @@ | |
1040 | # | |
1041 | CONFIG_SECURE_LINK=y | |
1042 | CONFIG_SECURE_FIFO=y | |
1043 | -# CONFIG_SECURE_PROC is not set | |
1044 | +CONFIG_SECURE_NOTSOMUCH=y | |
1045 | +CONFIG_SECURE_PROC=y | |
1046 | CONFIG_SECURE_FD_0_1_2=y | |
1047 | CONFIG_SECURE_RLIMIT_NPROC=y | |
1048 | # CONFIG_SECURE_SHM is not set | |
1049 | +CONFIG_SECURE_LOGGING=y | |
1050 | +CONFIG_SECURE_NETWORK=y | |
1051 | +# CONFIG_SECURE_NET_SBD is not set | |
1052 | +CONFIG_SECURE_CHROOT=y | |
1053 | ||
1054 | # | |
1055 | # Watchdog | |
1056 | diff -urP linux-2.2.20-ow1/arch/sparc64/kernel/ptrace.c linux-2.2.20-hap-2/arch/sparc64/kernel/ptrace.c | |
1057 | --- linux-2.2.20-ow1/arch/sparc64/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
1058 | +++ linux-2.2.20-hap-2/arch/sparc64/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
1059 | @@ -537,6 +537,9 @@ | |
1060 | ||
1061 | asmlinkage void do_ptrace(struct pt_regs *regs) | |
1062 | { | |
1063 | +#ifdef CONFIG_SECURE_TRACE | |
1064 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
1065 | +#endif | |
1066 | int request = regs->u_regs[UREG_I0]; | |
1067 | pid_t pid = regs->u_regs[UREG_I1]; | |
1068 | unsigned long addr = regs->u_regs[UREG_I2]; | |
1069 | @@ -620,6 +623,55 @@ | |
1070 | pt_error_return(regs, EPERM); | |
1071 | goto out; | |
1072 | } | |
1073 | +#ifdef CONFIG_SECURE_CHROOT | |
1074 | + if (!(hap_same_root_as_init(current)) && | |
1075 | + !(hap_same_root(current, child)) ) { | |
1076 | + /* | |
1077 | + * This process is chrooted; don't let it ptrace | |
1078 | + * any process not in the same jail with it | |
1079 | + */ | |
1080 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
1081 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1082 | + "ptraces from a chrooted process", | |
1083 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
1084 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
1085 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
1086 | + current->p_pptr->uid, current->p_pptr->euid ); | |
1087 | + pt_error_return(regs, EPERM); | |
1088 | + goto out; | |
1089 | + } | |
1090 | +#endif | |
1091 | +#ifdef CONFIG_SECURE_TRACE | |
1092 | + if (sysctl_security_trace && current->uid | |
1093 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1094 | + && current->egid != sysctl_security_trace_gid | |
1095 | +#endif | |
1096 | + ) { | |
1097 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
1098 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1099 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1100 | + "ptrace attempts", | |
1101 | + child->comm, child->pid, current->comm, | |
1102 | + current->pid, current->uid, | |
1103 | + current->euid, current->gid, | |
1104 | + current->egid, current->p_pptr->comm, | |
1105 | + current->p_pptr->pid, current->p_pptr->uid, | |
1106 | + current->p_pptr->euid, current->p_pptr->gid, | |
1107 | + current->p_pptr->egid ); | |
1108 | + goto out; | |
1109 | + } | |
1110 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
1111 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1112 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1113 | + "ptraces", | |
1114 | + child->comm, child->pid, current->comm, | |
1115 | + current->pid, current->uid, | |
1116 | + current->euid, current->gid, | |
1117 | + current->egid, current->p_pptr->comm, | |
1118 | + current->p_pptr->pid, current->p_pptr->uid, | |
1119 | + current->p_pptr->euid, current->p_pptr->gid, | |
1120 | + current->p_pptr->egid ); | |
1121 | +#endif | |
1122 | child->ptrace |= PT_PTRACED; | |
1123 | write_lock_irqsave(&tasklist_lock, flags); | |
1124 | if(child->p_pptr != current) { | |
1125 | @@ -1134,14 +1186,21 @@ | |
1126 | unlock_kernel(); | |
1127 | } | |
1128 | ||
1129 | -asmlinkage void syscall_trace(void) | |
1130 | +asmlinkage void syscall_trace(int unused) | |
1131 | { | |
1132 | +#ifdef CONFIG_SECURE_TRACE | |
1133 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
1134 | +#endif | |
1135 | #ifdef DEBUG_PTRACE | |
1136 | printk("%s [%d]: syscall_trace\n", current->comm, current->pid); | |
1137 | #endif | |
1138 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
1139 | != (PT_PTRACED|PT_TRACESYS)) | |
1140 | return; | |
1141 | +#ifdef CONFIG_SECURE_TRACE | |
1142 | + if (!user_mode(regs)) | |
1143 | + return; /* Don't trace the kernel's syscalls */ | |
1144 | +#endif | |
1145 | current->exit_code = SIGTRAP; | |
1146 | current->state = TASK_STOPPED; | |
1147 | current->tss.flags ^= MAGIC_CONSTANT; | |
1148 | diff -urP linux-2.2.20-ow1/fs/exec.c linux-2.2.20-hap-2/fs/exec.c | |
1149 | --- linux-2.2.20-ow1/fs/exec.c Sat Nov 3 13:14:57 2001 | |
1150 | +++ linux-2.2.20-hap-2/fs/exec.c Sat Nov 10 02:37:07 2001 | |
1151 | @@ -674,6 +674,9 @@ | |
1152 | */ | |
1153 | int prepare_binprm(struct linux_binprm *bprm) | |
1154 | { | |
1155 | +#ifdef CONFIG_SECURE_TRACE | |
1156 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
1157 | +#endif | |
1158 | int mode; | |
1159 | int retval,id_change,cap_raised; | |
1160 | struct inode * inode = bprm->dentry->d_inode; | |
1161 | @@ -778,7 +781,55 @@ | |
1162 | return retval; | |
1163 | #endif | |
1164 | } | |
1165 | - | |
1166 | +/* Total mess of ifdef's follow. */ | |
1167 | +#if defined(CONFIG_SECURE_BUGFIX) || defined(CONFIG_SECURE_TRACE) | |
1168 | + /* ptraced executables must be readable */ | |
1169 | + if (current->ptrace & PT_PTRACED) { | |
1170 | +#ifdef CONFIG_SECURE_TRACE | |
1171 | + if (sysctl_security_trace && current->uid | |
1172 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1173 | + && current->egid != sysctl_security_trace_gid | |
1174 | +#endif | |
1175 | + ) { | |
1176 | + security_alert("denied ptrace of %s by %s[%d], " | |
1177 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1178 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1179 | + "ptrace attempts", | |
1180 | + bprm->filename, current->comm, current->pid, current->uid, | |
1181 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1182 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1183 | + current->p_pptr->gid, current->p_pptr->egid); | |
1184 | + return -EPERM; | |
1185 | + } | |
1186 | +#endif /* CONFIG_SECURE_TRACE */ | |
1187 | +#ifdef CONFIG_SECURE_BUGFIX | |
1188 | + if ((retval = permission(bprm->dentry->d_inode, MAY_READ)) != 0) { | |
1189 | +#ifdef CONFIG_SECURE_LOGGING | |
1190 | + security_alert("refused ptrace of unreadable executable %s by " | |
1191 | + "%s[%d], UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1192 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1193 | + "unreadable executables ptraced", | |
1194 | + bprm->filename, current->comm, current->pid, current->uid, | |
1195 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1196 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1197 | + current->p_pptr->gid, current->p_pptr->egid); | |
1198 | +#endif /* CONFIG_SECURE_LOGGING */ | |
1199 | + return -EPERM; | |
1200 | + } | |
1201 | +#endif /* CONFIG_SECURE_BUGFIX */ | |
1202 | +#ifdef CONFIG_SECURE_TRACE | |
1203 | + /* log all permitted ptrace's */ | |
1204 | + security_alert("ptrace of %s by %s[%d], " | |
1205 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1206 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1207 | + "ptraces", | |
1208 | + bprm->filename, current->comm, current->pid, current->uid, | |
1209 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1210 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1211 | + current->p_pptr->gid, current->p_pptr->egid); | |
1212 | +#endif /* CONFIG_SECURE_TRACE */ | |
1213 | + } | |
1214 | +#endif /* CONFIG_SECURE_BUGFIX || CONFIG_SECURE_TRACE */ | |
1215 | memset(bprm->buf,0,sizeof(bprm->buf)); | |
1216 | return read_exec(bprm->dentry,0,bprm->buf,128,1); | |
1217 | } | |
1218 | @@ -946,6 +997,22 @@ | |
1219 | int retval; | |
1220 | int i; | |
1221 | ||
1222 | +#ifdef CONFIG_SECURE_CHROOT | |
1223 | + if (!(hap_same_root_as_init(current))) { | |
1224 | + /* | |
1225 | + * This process is in a chrooted jail; log everything it exec's | |
1226 | + */ | |
1227 | + security_alert("exec of %s within chrooted jail [%s]:%lu by " | |
1228 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1229 | + "execs from a chrooted process", | |
1230 | + filename, kdevname(current->fs->root->d_inode->i_dev), | |
1231 | + current->fs->root->d_inode->i_ino,current->comm, | |
1232 | + current->pid,current->uid, current->euid, | |
1233 | + current->p_pptr->comm, current->p_pptr->pid, | |
1234 | + current->p_pptr->uid, current->p_pptr->euid ); | |
1235 | + } | |
1236 | +#endif /* CONFIG_SECURE_CHROOT */ | |
1237 | + | |
1238 | #ifdef CONFIG_SECURE_RLIMIT_NPROC | |
1239 | /* | |
1240 | * This check is similar to that done in kernel/fork.c, except that we | |
1241 | diff -urP linux-2.2.20-ow1/fs/namei.c linux-2.2.20-hap-2/fs/namei.c | |
1242 | --- linux-2.2.20-ow1/fs/namei.c Sat Nov 3 13:14:57 2001 | |
1243 | +++ linux-2.2.20-hap-2/fs/namei.c Fri Nov 9 19:16:17 2001 | |
1244 | @@ -306,18 +306,28 @@ | |
1245 | if (S_ISLNK(inode->i_mode) && | |
1246 | (base->d_inode->i_mode & S_ISVTX) && | |
1247 | inode->i_uid != base->d_inode->i_uid && | |
1248 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1249 | + /* | |
1250 | + * Let this happen as long as the +t dir is | |
1251 | + * not world-writable. | |
1252 | + */ | |
1253 | + (base->d_inode->i_mode & S_IWOTH) && | |
1254 | +#endif | |
1255 | current->fsuid != inode->i_uid) { | |
1256 | - security_alert("not followed symlink of %d.%d " | |
1257 | - "by UID %d, EUID %d, process %s:%d", | |
1258 | + security_alert("not followed symlink of [%s]:%lu " | |
1259 | + "owned by %d.%d by %s[%d], UID %d, " | |
1260 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1261 | "symlinks not followed", | |
1262 | - inode->i_uid, inode->i_gid, | |
1263 | - current->uid, current->euid, | |
1264 | - current->comm, current->pid); | |
1265 | + kdevname(inode->i_dev), inode->i_ino, | |
1266 | + inode->i_uid, inode->i_gid, current->comm, | |
1267 | + current->pid, current->uid, current->euid, | |
1268 | + current->p_pptr->comm, current->p_pptr->pid, | |
1269 | + current->p_pptr->uid, current->p_pptr->euid); | |
1270 | dput(dentry); | |
1271 | dput(base); | |
1272 | return ERR_PTR(-EACCES); | |
1273 | } | |
1274 | -#endif | |
1275 | +#endif /* CONFIG_SECURE_LINK */ | |
1276 | ||
1277 | if (current->need_resched) { | |
1278 | current->state = TASK_RUNNING; | |
1279 | @@ -756,19 +766,28 @@ | |
1280 | if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && | |
1281 | (dir->d_inode->i_mode & S_ISVTX) && | |
1282 | inode->i_uid != dir->d_inode->i_uid && | |
1283 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1284 | + /* | |
1285 | + * Let this happen as long as the +t dir isn't world-writable | |
1286 | + */ | |
1287 | + (dir->d_inode->i_mode & S_IWOTH) && | |
1288 | +#endif | |
1289 | current->fsuid != inode->i_uid) { | |
1290 | if (!permission(inode, acc_mode)) | |
1291 | - security_alert("denied writing FIFO of %d.%d " | |
1292 | - "by UID %d, EUID %d, process %s:%d", | |
1293 | + security_alert("denied writing FIFO [%s]:%lu owned " | |
1294 | + "by %d.%d by %s[%d], UID %d, EUID %d, parent " | |
1295 | + "%s[%d], UID %d, EUID %d", | |
1296 | "writes into a FIFO denied", | |
1297 | - inode->i_uid, inode->i_gid, | |
1298 | - current->uid, current->euid, | |
1299 | - current->comm, current->pid); | |
1300 | + kdevname(inode->i_dev), inode->i_ino, | |
1301 | + inode->i_uid, inode->i_gid, current->comm, | |
1302 | + current->pid, current->uid, current->euid, | |
1303 | + current->p_pptr->comm, current->p_pptr->pid, | |
1304 | + current->p_pptr->uid, current->p_pptr->euid); | |
1305 | error = -EACCES; | |
1306 | unlock_dir(dir); | |
1307 | goto exit; | |
1308 | } | |
1309 | -#endif | |
1310 | +#endif /* CONFIG_SECURE_FIFO */ | |
1311 | ||
1312 | /* | |
1313 | * Somebody might have created the file while we | |
1314 | @@ -909,6 +928,10 @@ | |
1315 | { | |
1316 | int error; | |
1317 | char * tmp; | |
1318 | + struct dentry * dentry; | |
1319 | +#ifdef CONFIG_SECURE_CHROOT | |
1320 | + char hap_dev_mode; | |
1321 | +#endif | |
1322 | ||
1323 | lock_kernel(); | |
1324 | error = -EPERM; | |
1325 | @@ -927,7 +950,41 @@ | |
1326 | tmp = getname(filename); | |
1327 | error = PTR_ERR(tmp); | |
1328 | if (!IS_ERR(tmp)) { | |
1329 | - struct dentry * dentry = do_mknod(tmp,mode,dev); | |
1330 | +#ifdef CONFIG_SECURE_CHROOT | |
1331 | + if (!S_ISFIFO(mode)) { | |
1332 | + if (!(hap_same_root_as_init(current))) { | |
1333 | + /* | |
1334 | + * This process is in a chrooted jail; don't let it | |
1335 | + * make a raw device through which to break out (by | |
1336 | + * double-mounting an fs, reading kmem, kybd, etc) | |
1337 | + */ | |
1338 | + switch (mode & S_IFMT) { | |
1339 | + case S_IFREG: hap_dev_mode = 'r'; break; | |
1340 | + case S_IFCHR: hap_dev_mode = 'c'; break; | |
1341 | + case S_IFBLK: hap_dev_mode = 'b'; break; | |
1342 | + case S_IFSOCK: hap_dev_mode = 's'; break; | |
1343 | + default: hap_dev_mode = 'u'; | |
1344 | + } | |
1345 | + security_alert("refused attempt to mknod %c:[%s] (%s) " | |
1346 | + "from chrooted jail [%s]:%lu owned by %d.%d by " | |
1347 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " | |
1348 | + "%d, EUID %d", | |
1349 | + "chrooted mknods denied", | |
1350 | + hap_dev_mode, kdevname(dev), tmp, | |
1351 | + kdevname(current->fs->root->d_inode->i_dev), | |
1352 | + current->fs->root->d_inode->i_ino, | |
1353 | + current->fs->root->d_inode->i_uid, | |
1354 | + current->fs->root->d_inode->i_gid, current->comm, | |
1355 | + current->pid, current->uid, current->euid, | |
1356 | + current->p_pptr->comm, current->p_pptr->pid, | |
1357 | + current->p_pptr->uid, current->p_pptr->euid); | |
1358 | + putname(tmp); | |
1359 | + error = -EPERM; | |
1360 | + goto out; | |
1361 | + } | |
1362 | + } | |
1363 | +#endif | |
1364 | + dentry = do_mknod(tmp,mode,dev); | |
1365 | putname(tmp); | |
1366 | error = PTR_ERR(dentry); | |
1367 | if (!IS_ERR(dentry)) { | |
1368 | @@ -1258,13 +1315,21 @@ | |
1369 | ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || | |
1370 | (error = permission(inode, MAY_READ | MAY_WRITE))) && | |
1371 | !capable(CAP_FOWNER) && | |
1372 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1373 | + /* | |
1374 | + * Let users hard link to files in their group. | |
1375 | + */ | |
1376 | + current->fsgid != inode->i_gid && | |
1377 | +#endif | |
1378 | current->uid) { | |
1379 | - security_alert("denied hard link to %d.%d " | |
1380 | - "for UID %d, EUID %d, process %s:%d", | |
1381 | + security_alert("denied hard link to [%s]:%lu owned by %d.%d " | |
1382 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1383 | "hard links denied", | |
1384 | + kdevname(inode->i_dev), inode->i_ino, | |
1385 | inode->i_uid, inode->i_gid, | |
1386 | - current->uid, current->euid, | |
1387 | - current->comm, current->pid); | |
1388 | + current->comm, current->pid, current->uid, current->euid, | |
1389 | + current->p_pptr->comm, current->p_pptr->pid, | |
1390 | + current->p_pptr->uid, current->p_pptr->euid); | |
1391 | goto exit_lock; | |
1392 | } | |
1393 | #endif | |
1394 | diff -urP linux-2.2.20-ow1/fs/open.c linux-2.2.20-hap-2/fs/open.c | |
1395 | --- linux-2.2.20-ow1/fs/open.c Fri Nov 2 11:39:08 2001 | |
1396 | +++ linux-2.2.20-hap-2/fs/open.c Fri Nov 9 19:16:17 2001 | |
1397 | @@ -402,6 +402,9 @@ | |
1398 | int error; | |
1399 | struct inode *inode; | |
1400 | struct dentry *dentry, *tmp; | |
1401 | +#ifdef CONFIG_SECURE_CHROOT | |
1402 | + char * hap_new_chroot_path; | |
1403 | +#endif | |
1404 | ||
1405 | lock_kernel(); | |
1406 | ||
1407 | @@ -423,11 +426,55 @@ | |
1408 | error = -EPERM; | |
1409 | if (!capable(CAP_SYS_CHROOT)) | |
1410 | goto dput_and_out; | |
1411 | +#ifdef CONFIG_SECURE_CHROOT | |
1412 | + if (!(hap_same_root_as_init(current))) { | |
1413 | + /* | |
1414 | + * This process is already in a chrooted jail; don't let it chroot out. | |
1415 | + */ | |
1416 | + if (IS_ERR(hap_new_chroot_path = getname(filename))) | |
1417 | + hap_new_chroot_path = "[err]"; | |
1418 | + security_alert("refused attempt to chroot from [%s]:%lu to " | |
1419 | + "[%s]:%lu (%s) owned by %d.%d, process %s[%d], UID %d, " | |
1420 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1421 | + "double chroots denied", | |
1422 | + kdevname(current->fs->root->d_inode->i_dev), | |
1423 | + current->fs->root->d_inode->i_ino, | |
1424 | + kdevname(inode->i_dev), inode->i_ino, hap_new_chroot_path, | |
1425 | + inode->i_uid, inode->i_gid, | |
1426 | + current->comm, current->pid, current->uid, current->euid, | |
1427 | + current->p_pptr->comm, current->p_pptr->pid, | |
1428 | + current->p_pptr->uid, current->p_pptr->euid); | |
1429 | + putname(hap_new_chroot_path); | |
1430 | + error = -EPERM; | |
1431 | + goto dput_and_out; | |
1432 | + } | |
1433 | +#endif | |
1434 | ||
1435 | /* exchange dentries */ | |
1436 | tmp = current->fs->root; | |
1437 | current->fs->root = dentry; | |
1438 | dentry = tmp; | |
1439 | +#ifdef CONFIG_SECURE_CHROOT | |
1440 | + /* drop various dangerous capabilities when chrooting | |
1441 | + * note init is exempt for initrd-type games */ | |
1442 | + if (current->pid && current->pid > 1) { | |
1443 | + cap_lower(current->cap_permitted, | |
1444 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1445 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1446 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1447 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1448 | + cap_lower(current->cap_inheritable, | |
1449 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1450 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1451 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1452 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1453 | + cap_lower(current->cap_effective, | |
1454 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1455 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1456 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1457 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1458 | + } | |
1459 | +#endif | |
1460 | error = 0; | |
1461 | ||
1462 | dput_and_out: | |
1463 | @@ -464,6 +511,31 @@ | |
1464 | goto out_putf; | |
1465 | if (mode == (mode_t) -1) | |
1466 | mode = inode->i_mode; | |
1467 | +#ifdef CONFIG_SECURE_CHROOT | |
1468 | + if ((mode & S_ISUID) || (mode & S_ISGID)) { | |
1469 | + if (!(hap_same_root_as_init(current))) { | |
1470 | + /* | |
1471 | + * This process is chrooted; don't let it turn on the set[ug]id bits. | |
1472 | + */ | |
1473 | + security_alert("refused attempt to fchmod +s [%s]:%lu " | |
1474 | + "owned by %d.%d to mode 0%07o from chrooted jail " | |
1475 | + "[%s]:%lu owned by %d.%d by %s[%d], UID %d, EUID " | |
1476 | + "%d, parent %s[%d], UID %d, EUID %d", | |
1477 | + "chrooted fchmod +s's denied", | |
1478 | + kdevname(inode->i_dev), inode->i_ino, | |
1479 | + inode->i_uid, inode->i_gid, mode, | |
1480 | + kdevname(current->fs->root->d_inode->i_dev), | |
1481 | + current->fs->root->d_inode->i_ino, | |
1482 | + current->fs->root->d_inode->i_uid, | |
1483 | + current->fs->root->d_inode->i_gid, current->comm, | |
1484 | + current->pid, current->uid, current->euid, | |
1485 | + current->p_pptr->comm, current->p_pptr->pid, | |
1486 | + current->p_pptr->uid, current->p_pptr->euid); | |
1487 | + err = -EPERM; | |
1488 | + goto out_putf; | |
1489 | + } | |
1490 | + } | |
1491 | +#endif | |
1492 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
1493 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
1494 | err = notify_change(dentry, &newattrs); | |
1495 | @@ -481,6 +553,9 @@ | |
1496 | struct inode * inode; | |
1497 | int error; | |
1498 | struct iattr newattrs; | |
1499 | +#ifdef CONFIG_SECURE_CHROOT | |
1500 | + char * hap_chmod_filename; | |
1501 | +#endif | |
1502 | ||
1503 | lock_kernel(); | |
1504 | dentry = namei(filename); | |
1505 | @@ -500,6 +575,34 @@ | |
1506 | ||
1507 | if (mode == (mode_t) -1) | |
1508 | mode = inode->i_mode; | |
1509 | +#ifdef CONFIG_SECURE_CHROOT | |
1510 | + if ((mode & S_ISUID) || (mode & S_ISGID)) { | |
1511 | + if (!(hap_same_root_as_init(current))) { | |
1512 | + /* | |
1513 | + * This process is chrooted; don't let it turn on the set[gu]id bits. | |
1514 | + */ | |
1515 | + if (IS_ERR(hap_chmod_filename = getname(filename))) | |
1516 | + hap_chmod_filename = "[err]"; | |
1517 | + security_alert("refused attempt to chmod +s [%s]:%lu " | |
1518 | + "(%s) owned by %d.%d to mode 0%07o from chrooted " | |
1519 | + "jail [%s]:%lu owned by %d.%d by %s[%d], UID %d, " | |
1520 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1521 | + "chrooted chmod +s's denied", | |
1522 | + kdevname(inode->i_dev), inode->i_ino, hap_chmod_filename, | |
1523 | + inode->i_uid, inode->i_gid, mode, | |
1524 | + kdevname(current->fs->root->d_inode->i_dev), | |
1525 | + current->fs->root->d_inode->i_ino, | |
1526 | + current->fs->root->d_inode->i_uid, | |
1527 | + current->fs->root->d_inode->i_gid, current->comm, | |
1528 | + current->pid, current->uid, current->euid, | |
1529 | + current->p_pptr->comm, current->p_pptr->pid, | |
1530 | + current->p_pptr->uid, current->p_pptr->euid); | |
1531 | + putname(hap_chmod_filename); | |
1532 | + error = -EPERM; | |
1533 | + goto dput_and_out; | |
1534 | + } | |
1535 | + } | |
1536 | +#endif | |
1537 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
1538 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
1539 | error = notify_change(dentry, &newattrs); | |
1540 | diff -urP linux-2.2.20-ow1/fs/super.c linux-2.2.20-hap-2/fs/super.c | |
1541 | --- linux-2.2.20-ow1/fs/super.c Fri Nov 2 11:39:08 2001 | |
1542 | +++ linux-2.2.20-hap-2/fs/super.c Fri Nov 9 19:16:17 2001 | |
1543 | @@ -36,6 +36,10 @@ | |
1544 | #include <linux/kmod.h> | |
1545 | #endif | |
1546 | ||
1547 | +#ifdef CONFIG_SECURE_CHROOT | |
1548 | +#include <linux/sched.h> | |
1549 | +#endif | |
1550 | + | |
1551 | /* | |
1552 | * We use a semaphore to synchronize all mount/umount | |
1553 | * activity - imagine the mess if we have a race between | |
1554 | @@ -1045,10 +1049,42 @@ | |
1555 | unsigned long flags = 0; | |
1556 | unsigned long page = 0; | |
1557 | struct file dummy; /* allows read-write or read-only flag */ | |
1558 | +#ifdef CONFIG_SECURE_CHROOT | |
1559 | + char * hap_mount_dev; | |
1560 | + char * hap_mount_path; | |
1561 | +#endif | |
1562 | ||
1563 | lock_kernel(); | |
1564 | if (!capable(CAP_SYS_ADMIN)) | |
1565 | goto out; | |
1566 | +#ifdef CONFIG_SECURE_CHROOT | |
1567 | + if (!(hap_same_root_as_init(current))) { | |
1568 | + /* | |
1569 | + * This process is in a chrooted jail; don't let it (re)mount any filesystems. | |
1570 | + */ | |
1571 | + if(IS_ERR(hap_mount_dev = getname(dev_name))) | |
1572 | + hap_mount_dev = "nodev"; | |
1573 | + if(IS_ERR(hap_mount_path = getname(dir_name))) | |
1574 | + hap_mount_path = "[err]"; | |
1575 | + security_alert("refused attempt to mount [%s] as %s " | |
1576 | + "from chrooted jail [%s]:%lu owned by %d.%d by " | |
1577 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " | |
1578 | + "%d, EUID %d", | |
1579 | + "chrooted mounts denied", | |
1580 | + hap_mount_dev, hap_mount_path, | |
1581 | + kdevname(current->fs->root->d_inode->i_dev), | |
1582 | + current->fs->root->d_inode->i_ino, | |
1583 | + current->fs->root->d_inode->i_uid, | |
1584 | + current->fs->root->d_inode->i_gid, current->comm, current->pid, | |
1585 | + current->uid, current->euid, current->p_pptr->comm, | |
1586 | + current->p_pptr->pid, current->p_pptr->uid, | |
1587 | + current->p_pptr->euid); | |
1588 | + putname(hap_mount_dev); | |
1589 | + putname(hap_mount_path); | |
1590 | + retval = -EPERM; | |
1591 | + goto out; | |
1592 | + } | |
1593 | +#endif | |
1594 | if ((new_flags & | |
1595 | (MS_MGC_MSK | MS_REMOUNT)) == (MS_MGC_VAL | MS_REMOUNT)) { | |
1596 | retval = copy_mount_options (data, &page); | |
1597 | diff -urP linux-2.2.20-ow1/include/linux/kernel.h linux-2.2.20-hap-2/include/linux/kernel.h | |
1598 | --- linux-2.2.20-ow1/include/linux/kernel.h Sat Nov 3 13:14:57 2001 | |
1599 | +++ linux-2.2.20-hap-2/include/linux/kernel.h Sat Nov 10 02:20:12 2001 | |
1600 | @@ -89,18 +89,33 @@ | |
1601 | \ | |
1602 | spin_lock(&security_alert_lock); \ | |
1603 | \ | |
1604 | -/* Make sure at least one minute passed since the last warning logged */ \ | |
1605 | - if (!warning_time || jiffies - warning_time > 60 * HZ) { \ | |
1606 | +/* Make sure at least one second passed since the last warning logged */ \ | |
1607 | + if (!warning_time || jiffies - warning_time > HZ) { \ | |
1608 | warning_time = jiffies; no_flood_yet = 1; \ | |
1609 | - printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \ | |
1610 | + printk(KERN_WARNING "Security: " normal_msg "\n", ## args); \ | |
1611 | } else if (no_flood_yet) { \ | |
1612 | warning_time = jiffies; no_flood_yet = 0; \ | |
1613 | - printk(KERN_ALERT "Security: more " flood_msg \ | |
1614 | - ", logging disabled for a minute\n"); \ | |
1615 | + printk(KERN_WARNING "Security: more " flood_msg \ | |
1616 | + ", logging disabled for one second\n"); \ | |
1617 | } \ | |
1618 | \ | |
1619 | spin_unlock(&security_alert_lock); \ | |
1620 | }) | |
1621 | + | |
1622 | +#ifdef CONFIG_SECURE_CHROOT | |
1623 | +#define hap_same_root(haptask1, haptask2) \ | |
1624 | + /* if root devices and inodes match, processes share a \ | |
1625 | + * common root (neither, or both together, are chrooted) */ \ | |
1626 | + ((haptask1->fs->root->d_inode->i_dev == \ | |
1627 | + haptask2->fs->root->d_inode->i_dev) && \ | |
1628 | + (haptask1->fs->root->d_inode->i_ino == \ | |
1629 | + haptask2->fs->root->d_inode->i_ino) ) | |
1630 | + | |
1631 | +#define hap_same_root_as_init(haptask) \ | |
1632 | + /* compare the given process to init */ \ | |
1633 | + hap_same_root(haptask, \ | |
1634 | + (task[smp_num_cpus] ? : task[0])) /* voodoo */ | |
1635 | +#endif /* CONFIG_SECURE_CHROOT */ | |
1636 | ||
1637 | #endif /* __KERNEL__ */ | |
1638 | ||
1639 | diff -urP linux-2.2.20-ow1/include/linux/sysctl.h linux-2.2.20-hap-2/include/linux/sysctl.h | |
1640 | --- linux-2.2.20-ow1/include/linux/sysctl.h Sun Mar 25 11:37:40 2001 | |
1641 | +++ linux-2.2.20-hap-2/include/linux/sysctl.h Fri Nov 9 19:16:17 2001 | |
1642 | @@ -107,7 +107,8 @@ | |
1643 | KERN_SHMALL=41, /* int: maximum size of shared memory */ | |
1644 | KERN_SPARC_STOP_A=44, /* int: Sparc Stop-A enable */ | |
1645 | KERN_HOTPLUG=49, /* string: path to hotplug policy agent */ | |
1646 | - KERN_IEEE_EMULATION_WARNINGS=50 /* int: unimplemented ieee instructions */ | |
1647 | + KERN_IEEE_EMULATION_WARNINGS=50, /* int: unimplemented ieee instructions */ | |
1648 | + KERN_SECURITY=51 /* Security */ | |
1649 | }; | |
1650 | ||
1651 | ||
1652 | diff -urP linux-2.2.20-ow1/include/linux/tasks.h linux-2.2.20-hap-2/include/linux/tasks.h | |
1653 | --- linux-2.2.20-ow1/include/linux/tasks.h Sun Mar 25 11:31:03 2001 | |
1654 | +++ linux-2.2.20-hap-2/include/linux/tasks.h Sat Nov 10 02:20:12 2001 | |
1655 | @@ -11,7 +11,7 @@ | |
1656 | #define NR_CPUS 1 | |
1657 | #endif | |
1658 | ||
378925ef | 1659 | -#define NR_TASKS 4080 /* On x86 Max about 4000 */ |
85213f0d KT |
1660 | +#define NR_TASKS 2048 /* On x86 Max about 4000 */ |
1661 | ||
378925ef KT |
1662 | #define MAX_TASKS_PER_USER 256 |
1663 | #define MIN_TASKS_LEFT_FOR_ROOT 64 | |
85213f0d KT |
1664 | diff -urP linux-2.2.20-ow1/include/net/dst.h linux-2.2.20-hap-2/include/net/dst.h |
1665 | --- linux-2.2.20-ow1/include/net/dst.h Sun Mar 25 11:31:07 2001 | |
1666 | +++ linux-2.2.20-hap-2/include/net/dst.h Sat Nov 10 02:21:36 2001 | |
1667 | @@ -16,7 +16,11 @@ | |
1668 | * 1 - rare events and bugs (default) | |
1669 | * 2 - trace mode. | |
1670 | */ | |
1671 | -#define RT_CACHE_DEBUG 0 | |
1672 | +#ifdef CONFIG_SECURE_LOGGING | |
1673 | +#define RT_CACHE_DEBUG 1 | |
1674 | +#else | |
1675 | +#define RT_CACHE_DEBUG 0 | |
1676 | +#endif | |
1677 | ||
1678 | #define DST_GC_MIN (1*HZ) | |
1679 | #define DST_GC_INC (5*HZ) | |
1680 | diff -urP linux-2.2.20-ow1/kernel/fork.c linux-2.2.20-hap-2/kernel/fork.c | |
1681 | --- linux-2.2.20-ow1/kernel/fork.c Sat Nov 3 13:14:57 2001 | |
1682 | +++ linux-2.2.20-hap-2/kernel/fork.c Fri Nov 9 19:16:17 2001 | |
1683 | @@ -746,6 +746,15 @@ | |
1684 | free_uid(p); | |
1685 | bad_fork_free: | |
1686 | free_task_struct(p); | |
1687 | +#ifdef CONFIG_SECURE_LOGGING | |
1688 | + security_alert("fork failure errno %d by %s[%d], UID %d, EUID %d, " | |
1689 | + "parent %s[%d], UID %d, EUID %d", | |
1690 | + "fork failures", | |
1691 | + retval, current->comm, current->pid, | |
1692 | + current->uid, current->euid, | |
1693 | + current->p_pptr->comm, current->p_pptr->pid, | |
1694 | + current->p_pptr->uid, current->p_pptr->euid); | |
1695 | +#endif | |
1696 | goto bad_fork; | |
1697 | } | |
1698 | ||
1699 | diff -urP linux-2.2.20-ow1/kernel/signal.c linux-2.2.20-hap-2/kernel/signal.c | |
1700 | --- linux-2.2.20-ow1/kernel/signal.c Fri Nov 2 11:39:16 2001 | |
1701 | +++ linux-2.2.20-hap-2/kernel/signal.c Fri Nov 9 19:16:17 2001 | |
1702 | @@ -254,6 +254,9 @@ | |
1703 | { | |
1704 | unsigned long flags; | |
1705 | int ret; | |
1706 | +#ifdef CONFIG_SECURE_CHROOT | |
1707 | + struct task_struct * hap_init_task; | |
1708 | +#endif | |
1709 | ||
1710 | #if DEBUG_SIG | |
1711 | printk("SIG queue (%s:%d): %d ", t->comm, t->pid, sig); | |
1712 | @@ -270,13 +273,67 @@ | |
1713 | && (current->uid ^ t->suid) && (current->uid ^ t->uid) | |
1714 | && !capable(CAP_KILL)) | |
1715 | goto out_nolock; | |
1716 | - | |
1717 | - /* The null signal is a permissions and process existance probe. | |
1718 | - No signal is actually delivered. Same goes for zombies. | |
1719 | - We have to grab the spinlock now so that we do not race | |
1720 | + /* We have to grab the spinlock now so that we do not race | |
1721 | with flush_signals. */ | |
1722 | - ret = 0; | |
1723 | spin_lock_irqsave(&t->sigmask_lock, flags); | |
1724 | + | |
1725 | +#ifdef CONFIG_SECURE_CHROOT | |
1726 | + /* | |
1727 | + * chrooted processes can only send signals to other processes in | |
1728 | + * the same jail, with the exception that they can send SIGALRM and | |
1729 | + * SIGIO to any process, and SIGCHLD to their parent, regardless. | |
1730 | + */ | |
1731 | + /* | |
1732 | + * this is still needed with the hap_same_root macros because we | |
1733 | + * have to check init's task struct to be careful not to deref a | |
1734 | + * null pointer later | |
1735 | + */ | |
1736 | + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ | |
1737 | + if ( /* noop for 'signal zero' */ | |
1738 | + sig && | |
1739 | + | |
1740 | + /* be careful not to deref a null pointer later */ | |
1741 | + t->pid && t->fs && t->fs->root && t->fs->root->d_inode && t->p_pptr && | |
1742 | + current->pid && current->fs && current->fs->root && | |
1743 | + current->fs->root->d_inode && current->p_pptr && | |
1744 | + hap_init_task && hap_init_task->pid && hap_init_task->fs && | |
1745 | + hap_init_task->fs->root && hap_init_task->fs->root->d_inode && | |
1746 | + | |
1747 | + /* real work starting: check if signal is "mostly harmless" */ | |
1748 | + !( sig == SIGALRM || sig == SIGIO || | |
1749 | + | |
1750 | + /* check if current is not chrooted */ | |
1751 | + (hap_same_root_as_init(current)) || | |
1752 | + | |
1753 | + /* else check if current && target are under same chroot */ | |
1754 | + (hap_same_root(t, current)) || | |
1755 | + | |
1756 | + /* else check if child is sending parent SIGCHILD */ | |
1757 | + (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) { | |
1758 | + | |
1759 | + /* Note: if target is init, its parent is task 0 */ | |
1760 | + security_alert("refused signal %d out of chrooted jail [%s]:%lu " | |
1761 | + "owned by %d.%d by %s[%d], UID %d, EUID %d, parent " | |
1762 | + "%s[%d], UID %d, EUID %d to %s[%d], UID %d, EUID %d with " | |
1763 | + "root [%s]:%lu owned by %d.%d, parent %s[%d], UID %d, EUID %d", | |
1764 | + "refused signals", | |
1765 | + sig, kdevname(current->fs->root->d_inode->i_dev), | |
1766 | + current->fs->root->d_inode->i_ino, current->fs->root->d_inode->i_uid, | |
1767 | + current->fs->root->d_inode->i_gid, current->comm, | |
1768 | + current->pid, current->uid, current->euid, current->p_pptr->comm, | |
1769 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1770 | + t->comm, t->pid, t->uid, t->euid, kdevname(t->fs->root->d_inode->i_dev), | |
1771 | + t->fs->root->d_inode->i_ino, t->fs->root->d_inode->i_uid, | |
1772 | + t->fs->root->d_inode->i_gid, t->p_pptr->comm, t->p_pptr->pid, | |
1773 | + t->p_pptr->uid, t->p_pptr->euid); | |
1774 | + spin_unlock_irqrestore(&t->sigmask_lock, flags); | |
1775 | + goto out_nolock; | |
1776 | + } | |
1777 | + | |
1778 | +#endif | |
1779 | + ret = 0; | |
1780 | + /* The null signal is a permissions and process existance probe. | |
1781 | + No signal is actually delivered. Same goes for zombies. */ | |
1782 | if (!sig || !t->sig) { | |
1783 | spin_unlock_irqrestore(&t->sigmask_lock, flags); | |
1784 | goto out_nolock; | |
1785 | @@ -301,6 +358,34 @@ | |
1786 | /* Inflict this corner case with recalculations, not mainline */ | |
1787 | recalc_sigpending(t); | |
1788 | break; | |
1789 | +#if CONFIG_SECURE_LOGGING | |
1790 | + case SIGSEGV: case SIGILL: case SIGABRT: case SIGBUS: | |
1791 | +#ifdef __i386__ | |
1792 | + security_alert("signal %d (%s addr 0x%08lx) sent to " | |
1793 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " | |
1794 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1795 | + "signal warnings", | |
1796 | + sig, (t->tss.error_code & 2) ? "write" : "read or execute", | |
1797 | + t->tss.cr2, | |
1798 | + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, | |
1799 | + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, | |
1800 | + current->comm, current->pid, current->uid, current->euid, | |
1801 | + current->p_pptr->comm, current->p_pptr->pid, | |
1802 | + current->p_pptr->uid, current->p_pptr->euid); | |
1803 | +#else | |
1804 | + security_alert("signal %d sent to " | |
1805 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " | |
1806 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1807 | + "signal warnings", | |
1808 | + sig, | |
1809 | + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, | |
1810 | + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, | |
1811 | + current->comm, current->pid, current->uid, current->euid, | |
1812 | + current->p_pptr->comm, current->p_pptr->pid, | |
1813 | + current->p_pptr->uid, current->p_pptr->euid); | |
1814 | +#endif | |
1815 | + break; | |
1816 | +#endif | |
1817 | } | |
1818 | ||
1819 | /* Optimize away the signal, if it's a signal that can be | |
1820 | diff -urP linux-2.2.20-ow1/kernel/sysctl.c linux-2.2.20-hap-2/kernel/sysctl.c | |
1821 | --- linux-2.2.20-ow1/kernel/sysctl.c Sat Nov 3 13:14:57 2001 | |
1822 | +++ linux-2.2.20-hap-2/kernel/sysctl.c Fri Nov 9 19:16:17 2001 | |
1823 | @@ -96,12 +96,20 @@ | |
1824 | static ctl_table fs_table[]; | |
1825 | static ctl_table debug_table[]; | |
1826 | static ctl_table dev_table[]; | |
1827 | - | |
1828 | +static ctl_table security_table[]; | |
1829 | ||
1830 | /* /proc declarations: */ | |
1831 | ||
1832 | #ifdef CONFIG_PROC_FS | |
1833 | ||
1834 | +/* Keep these here reguardless if CONFIG_SECURE_SYSCTL is defined or not */ | |
1835 | +int sysctl_security = 1; | |
1836 | +int sysctl_security_trace = 1; | |
1837 | + | |
1838 | +#ifdef CONFIG_SECURE_TRACE | |
1839 | +int sysctl_security_trace_gid = 0; | |
1840 | +#endif | |
1841 | + | |
1842 | static ssize_t proc_readsys(struct file *, char *, size_t, loff_t *); | |
1843 | static ssize_t proc_writesys(struct file *, const char *, size_t, loff_t *); | |
1844 | static int proc_sys_permission(struct inode *, int); | |
1845 | @@ -251,6 +259,18 @@ | |
1846 | &sysctl_ieee_emulation_warnings,sizeof(int),0644,NULL,&proc_dointvec}, | |
1847 | #endif | |
1848 | #endif | |
1849 | + {KERN_SECURITY, "security", NULL, 0, 0550, security_table}, | |
1850 | + {0} | |
1851 | +}; | |
1852 | + | |
1853 | +enum {SEC_TRACE=1, SEC_TRACE_GID , SEC_SYSCTL}; | |
1854 | +static ctl_table security_table[] = { | |
1855 | + {SEC_TRACE, "trace", &sysctl_security_trace, sizeof (int), | |
1856 | + 0640, NULL, &proc_dointvec}, | |
1857 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1858 | + {SEC_TRACE_GID, "trace_gid", &sysctl_security_trace_gid, sizeof (int), | |
1859 | + 0640, NULL, &proc_dointvec}, | |
1860 | +#endif | |
1861 | {0} | |
1862 | }; | |
1863 | ||
1864 | diff -urP linux-2.2.20-ow1/kernel/time.c linux-2.2.20-hap-2/kernel/time.c | |
1865 | --- linux-2.2.20-ow1/kernel/time.c Sun Mar 25 11:31:02 2001 | |
1866 | +++ linux-2.2.20-hap-2/kernel/time.c Fri Nov 9 19:16:17 2001 | |
1867 | @@ -108,6 +108,14 @@ | |
1868 | time_maxerror = NTP_PHASE_LIMIT; | |
1869 | time_esterror = NTP_PHASE_LIMIT; | |
1870 | write_unlock_irq(&xtime_lock); | |
1871 | +#ifdef CONFIG_SECURE_LOGGING | |
1872 | + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " | |
1873 | + "UID %d, EUID %d", | |
1874 | + "time sets", | |
1875 | + current->comm, current->pid, current->uid, current->euid, | |
1876 | + current->p_pptr->comm, current->p_pptr->pid, | |
1877 | + current->p_pptr->uid, current->p_pptr->euid); | |
1878 | +#endif | |
1879 | return 0; | |
1880 | } | |
1881 | ||
1882 | @@ -184,6 +192,14 @@ | |
1883 | * globally block out interrupts when it runs. | |
1884 | */ | |
1885 | do_settimeofday(tv); | |
1886 | +#ifdef CONFIG_SECURE_LOGGING | |
1887 | + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " | |
1888 | + "UID %d, EUID %d", | |
1889 | + "time sets", | |
1890 | + current->comm, current->pid, current->uid, current->euid, | |
1891 | + current->p_pptr->comm, current->p_pptr->pid, | |
1892 | + current->p_pptr->uid, current->p_pptr->euid); | |
1893 | +#endif | |
1894 | } | |
1895 | return 0; | |
1896 | } | |
1897 | diff -urP linux-2.2.20-ow1/net/core/utils.c linux-2.2.20-hap-2/net/core/utils.c | |
1898 | --- linux-2.2.20-ow1/net/core/utils.c Sun Mar 25 11:31:12 2001 | |
1899 | +++ linux-2.2.20-hap-2/net/core/utils.c Fri Nov 9 19:16:17 2001 | |
1900 | @@ -35,12 +35,21 @@ | |
1901 | net_random(); | |
1902 | } | |
1903 | ||
1904 | +#ifdef CONFIG_SECURE_LOGGING | |
1905 | +int net_msg_cost = HZ; | |
1906 | +#else | |
1907 | int net_msg_cost = 5*HZ; | |
1908 | +#endif | |
1909 | int net_msg_burst = 10*5*HZ; | |
1910 | ||
1911 | /* | |
1912 | +#ifdef CONFIG_SECURE_LOGGING | |
1913 | + * This enforces a rate limit: not more than one kernel message | |
1914 | + * every 1secs to make a denial-of-service attack harder. | |
1915 | +#else | |
1916 | * This enforces a rate limit: not more than one kernel message | |
1917 | * every 5secs to make a denial-of-service attack impossible. | |
1918 | +#endif | |
1919 | * | |
1920 | * All warning printk()s should be guarded by this function. | |
1921 | */ | |
1922 | diff -urP linux-2.2.20-ow1/net/ipv4/ip_fw.c linux-2.2.20-hap-2/net/ipv4/ip_fw.c | |
1923 | --- linux-2.2.20-ow1/net/ipv4/ip_fw.c Sun Mar 25 11:31:12 2001 | |
1924 | +++ linux-2.2.20-hap-2/net/ipv4/ip_fw.c Fri Nov 9 19:16:17 2001 | |
1925 | @@ -416,34 +416,83 @@ | |
1926 | __u32 *opt = (__u32 *) (ip + 1); | |
1927 | int opti; | |
1928 | ||
1929 | - if (f) | |
1930 | - { | |
1931 | + if (f) { | |
1932 | +#ifdef CONFIG_SECURE_NETWORK | |
1933 | + /* log any accepted packet at kern.debug instead of kern.info */ | |
1934 | + if (f->simplebranch==FW_ACCEPT || | |
1935 | + f->simplebranch==FW_REDIRECT || | |
1936 | + f->simplebranch==FW_MASQUERADE) | |
1937 | + printk(KERN_DEBUG "Packet log: %s ",chainlabel); | |
1938 | + else | |
1939 | +#endif | |
1940 | printk(KERN_INFO "Packet log: %s ",chainlabel); | |
1941 | - | |
1942 | printk("%s ",branchname(f->branch,f->simplebranch)); | |
1943 | if (f->simplebranch==FW_REDIRECT) | |
1944 | printk("%d ",f->ipfw.fw_redirpt); | |
1945 | } | |
1946 | ||
1947 | +#ifdef CONFIG_SECURE_NETWORK | |
1948 | + if (ip->protocol == IPPROTO_TCP | |
1949 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1950 | + struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl); | |
1951 | + printk("%s PROTO=TCP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " | |
1952 | + "L=%hu:%hu:%hu S=0x%2.2hX I=%hu:%u:%u F=0x%4.4hX " | |
1953 | + "T=%hu %c%c%c%c%c%c", | |
1954 | + ifname, | |
1955 | + NIPQUAD(ip->saddr), src_port, | |
1956 | + NIPQUAD(ip->daddr), dst_port, | |
1957 | + ntohs(ip->tot_len), ntohs(ip->tot_len) - ip->ihl*4, | |
1958 | + ntohs(ip->tot_len) - ip->ihl*4 - tcp->doff*4, | |
1959 | + ip->tos, ntohs(ip->id), ntohl(tcp->seq), | |
1960 | + ntohl(tcp->ack_seq), ip->frag_off, ip->ttl, | |
1961 | + tcp->ack ? 'A' : '.', | |
1962 | + tcp->syn ? 'S' : '.', | |
1963 | + tcp->fin ? 'F' : '.', | |
1964 | + tcp->rst ? 'R' : '.', | |
1965 | + tcp->psh ? 'P' : '.', | |
1966 | + tcp->urg ? 'U' : '.' ); | |
1967 | + } else if (ip->protocol == IPPROTO_UDP | |
1968 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1969 | + struct udphdr *udp = (struct udphdr *)((__u32 *)ip + ip->ihl); | |
1970 | + printk("%s PROTO=UDP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " | |
1971 | + "L=%hu:%u S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", | |
1972 | + ifname, | |
1973 | + NIPQUAD(ip->saddr), src_port, | |
1974 | + NIPQUAD(ip->daddr), dst_port, | |
1975 | + ntohs(ip->tot_len), ntohs(udp->len), | |
1976 | + ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl); | |
1977 | + } else if (ip->protocol == IPPROTO_ICMP | |
1978 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1979 | + struct icmphdr *icmp = (struct icmphdr *)((__u32 *)ip + ip->ihl); | |
1980 | + printk("%s PROTO=ICMP/%d:%d %d.%d.%d.%d %d.%d.%d.%d L=%hu " | |
1981 | + "S=0x%2.2hX I=%hu:%hu:%hu F=0x%4.4hX T=%hu", | |
1982 | + ifname, icmp->type, icmp->code, | |
1983 | + NIPQUAD(ip->saddr), | |
1984 | + NIPQUAD(ip->daddr), | |
1985 | + ntohs(ip->tot_len), ip->tos, | |
1986 | + ntohs(ip->id), ntohs(icmp->un.echo.id), | |
1987 | + ntohs(icmp->un.echo.sequence), | |
1988 | + ip->frag_off, ip->ttl); | |
1989 | + } else { | |
1990 | +#endif | |
1991 | printk("%s PROTO=%d %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu" | |
1992 | " L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", | |
1993 | ifname, ip->protocol, | |
1994 | - (ntohl(ip->saddr)>>24)&0xFF, | |
1995 | - (ntohl(ip->saddr)>>16)&0xFF, | |
1996 | - (ntohl(ip->saddr)>>8)&0xFF, | |
1997 | - (ntohl(ip->saddr))&0xFF, | |
1998 | - src_port, | |
1999 | - (ntohl(ip->daddr)>>24)&0xFF, | |
2000 | - (ntohl(ip->daddr)>>16)&0xFF, | |
2001 | - (ntohl(ip->daddr)>>8)&0xFF, | |
2002 | - (ntohl(ip->daddr))&0xFF, | |
2003 | - dst_port, | |
2004 | + NIPQUAD(ip->saddr), src_port, | |
2005 | + NIPQUAD(ip->daddr), dst_port, | |
2006 | ntohs(ip->tot_len), ip->tos, ntohs(ip->id), | |
2007 | ntohs(ip->frag_off), ip->ttl); | |
2008 | +#ifdef CONFIG_SECURE_NETWORK | |
2009 | + } | |
2010 | +#endif | |
2011 | ||
2012 | for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++) | |
2013 | printk(" O=0x%8.8X", *opt++); | |
2014 | +#ifdef CONFIG_SECURE_NETWORK | |
2015 | + printk(" (#%d)\n", count); | |
2016 | +#else | |
2017 | printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count); | |
2018 | +#endif | |
2019 | } | |
2020 | ||
2021 | /* function for checking chain labels for user space. */ | |
2022 | diff -urP linux-2.2.20-ow1/net/ipv4/route.c linux-2.2.20-hap-2/net/ipv4/route.c | |
2023 | --- linux-2.2.20-ow1/net/ipv4/route.c Fri Nov 2 11:39:16 2001 | |
2024 | +++ linux-2.2.20-hap-2/net/ipv4/route.c Fri Nov 9 19:16:17 2001 | |
2025 | @@ -715,12 +715,20 @@ | |
2026 | return; | |
2027 | ||
2028 | reject_redirect: | |
2029 | +#ifdef CONFIG_SECURE_LOGGING | |
2030 | + security_alert("redirect from %d.%d.%d.%d/%s to %d.%d.%d.%d ignored; " | |
2031 | + "path = %d.%d.%d.%d -> %d.%d.%d.%d, tos %02x\n", | |
2032 | + "redirects ignored", | |
2033 | + NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw), | |
2034 | + NIPQUAD(saddr), NIPQUAD(daddr), tos); | |
2035 | +#else | |
2036 | #ifdef CONFIG_IP_ROUTE_VERBOSE | |
2037 | if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) | |
2038 | printk(KERN_INFO "Redirect from %X/%s to %X ignored." | |
2039 | "Path = %X -> %X, tos %02x\n", | |
2040 | ntohl(old_gw), dev->name, ntohl(new_gw), | |
2041 | ntohl(saddr), ntohl(daddr), tos); | |
2042 | +#endif | |
2043 | #endif | |
2044 | } | |
2045 | ||
2046 | diff -urP linux-2.2.20-ow1/net/ipv4/tcp_ipv4.c linux-2.2.20-hap-2/net/ipv4/tcp_ipv4.c | |
2047 | --- linux-2.2.20-ow1/net/ipv4/tcp_ipv4.c Sun Mar 25 11:37:41 2001 | |
2048 | +++ linux-2.2.20-hap-2/net/ipv4/tcp_ipv4.c Fri Nov 9 19:16:17 2001 | |
2049 | @@ -1747,6 +1747,14 @@ | |
2050 | len < (th->doff * 4)) | |
2051 | goto bad_packet; | |
2052 | ||
2053 | +#ifdef CONFIG_SECURE_NETWORK | |
2054 | + /* Throw out packets with clearly bogus flags. */ | |
2055 | + if ( ! (th->ack || th->syn || th->rst) || | |
2056 | + (th->fin && (th->syn || th->rst) ) || | |
2057 | + (th->rst && (th->syn || th->urg) ) || | |
2058 | + (th->syn && th->urg) ) | |
2059 | + goto tcp_bad_flags; | |
2060 | +#endif | |
2061 | #ifdef CONFIG_IP_TRANSPARENT_PROXY | |
2062 | if (IPCB(skb)->redirport) | |
2063 | sk = tcp_v4_proxy_lookup(th->dest, skb->nh.iph->saddr, th->source, | |
2064 | @@ -1762,7 +1770,11 @@ | |
2065 | } | |
2066 | #endif | |
2067 | if (!sk) | |
2068 | +#ifdef CONFIG_SECURE_NETWORK | |
2069 | + goto tcp_unserved; | |
2070 | +#else | |
2071 | goto no_tcp_socket; | |
2072 | +#endif | |
2073 | if(!ipsec_sk_policy(sk,skb)) | |
2074 | goto discard_it; | |
2075 | ||
2076 | @@ -1780,6 +1792,52 @@ | |
2077 | ||
2078 | __skb_queue_tail(&sk->back_log, skb); | |
2079 | return 0; | |
2080 | +#ifdef CONFIG_SECURE_NETWORK | |
2081 | + | |
2082 | +tcp_bad_flags: | |
2083 | + if(net_ratelimit()) | |
2084 | + printk(KERN_INFO | |
2085 | + "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d " | |
2086 | + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u " | |
2087 | + "T=%hu %c%c%c%c%c%c\n", | |
2088 | + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), | |
2089 | + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), | |
2090 | + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, | |
2091 | + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), | |
2092 | + ntohl(th->ack_seq), skb->nh.iph->ttl, | |
2093 | + th->ack ? 'A' : '.', | |
2094 | + th->syn ? 'S' : '.', | |
2095 | + th->fin ? 'F' : '.', | |
2096 | + th->rst ? 'R' : '.', | |
2097 | + th->psh ? 'P' : '.', | |
2098 | + th->urg ? 'U' : '.' ); | |
2099 | + /* | |
2100 | + * This will cause tcp_send_reset to *not* send. | |
2101 | + */ | |
2102 | + th->rst=1; | |
2103 | + goto no_tcp_socket; | |
2104 | + | |
2105 | +tcp_unserved: | |
2106 | + if(net_ratelimit()) | |
2107 | + printk(KERN_INFO | |
2108 | + "Packet log: unserved DENY %s PROTO=TCP %d.%d.%d.%d:%d " | |
2109 | + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX " | |
2110 | + "I=%hu:%u:%u T=%hu %c%c%c%c%c%c\n", | |
2111 | + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), | |
2112 | + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), | |
2113 | + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, | |
2114 | + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), | |
2115 | + ntohl(th->ack_seq), skb->nh.iph->ttl, | |
2116 | + th->ack ? 'A' : '.', | |
2117 | + th->syn ? 'S' : '.', | |
2118 | + th->fin ? 'F' : '.', | |
2119 | + th->rst ? 'R' : '.', | |
2120 | + th->psh ? 'P' : '.', | |
2121 | + th->urg ? 'U' : '.' ); | |
2122 | +#ifdef CONFIG_SECURE_NET_SBD | |
2123 | + th->rst=1; | |
2124 | +#endif | |
2125 | +#endif /* CONFIG_SECURE_NETWORK */ | |
2126 | ||
2127 | no_tcp_socket: | |
2128 | tcp_v4_send_reset(skb); | |
2129 | diff -urP linux-2.2.20-ow1/net/ipv4/udp.c linux-2.2.20-hap-2/net/ipv4/udp.c | |
2130 | --- linux-2.2.20-ow1/net/ipv4/udp.c Sun Mar 25 11:37:41 2001 | |
2131 | +++ linux-2.2.20-hap-2/net/ipv4/udp.c Fri Nov 9 19:16:17 2001 | |
2132 | @@ -1137,6 +1137,14 @@ | |
2133 | goto csum_error; | |
2134 | #endif | |
2135 | udp_statistics.UdpNoPorts++; | |
2136 | +#ifdef CONFIG_SECURE_NETWORK | |
2137 | + /* | |
2138 | + * This will cause a message for _every_ UDP packet we didn't | |
2139 | + * ask for, _including_ broadcasts. If you don't care about | |
2140 | + * broadcasts, move the following line inside the if { .. } below. | |
2141 | + */ | |
2142 | + goto udp_unserved_port; | |
2143 | +#else | |
2144 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
2145 | ||
2146 | /* | |
2147 | @@ -1145,9 +1153,29 @@ | |
2148 | */ | |
2149 | kfree_skb(skb); | |
2150 | return(0); | |
2151 | +#endif | |
2152 | } | |
2153 | udp_deliver(sk, skb); | |
2154 | return 0; | |
2155 | + | |
2156 | +#ifdef CONFIG_SECURE_NETWORK | |
2157 | + | |
2158 | +udp_unserved_port: | |
2159 | + if(net_ratelimit()) | |
2160 | + printk( KERN_INFO | |
2161 | + "Packet log: unserved DENY %s PROTO=UDP %d.%d.%d.%d:%d %d.%d.%d.%d:%d " | |
2162 | + "L=%hu:%u S=0x%2.2hX I=%hu T=%hu\n", | |
2163 | + skb->dev->name, NIPQUAD(saddr), ntohs(uh->source), | |
2164 | + NIPQUAD(daddr), ntohs(uh->dest), ntohs(skb->nh.iph->tot_len), | |
2165 | + ntohs(uh->len), skb->nh.iph->tos, ntohs(skb->nh.iph->id), | |
2166 | + skb->nh.iph->ttl); | |
2167 | +#ifndef CONFIG_SECURE_NET_SBD | |
2168 | + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
2169 | +#endif | |
2170 | + skb->sk = NULL; | |
2171 | + kfree_skb(skb); | |
2172 | + return(0); | |
2173 | +#endif /* CONFIG_SECURE_NETWORK */ | |
2174 | ||
2175 | csum_error: | |
2176 | /* | |
2177 | diff -urP linux-2.2.20-ow1/security/Common.in linux-2.2.20-hap-2/security/Common.in | |
2178 | --- linux-2.2.20-ow1/security/Common.in Sat Nov 3 13:14:57 2001 | |
2179 | +++ linux-2.2.20-hap-2/security/Common.in Fri Nov 9 19:16:17 2001 | |
2180 | @@ -4,9 +4,26 @@ | |
2181 | ||
2182 | bool 'Restricted links in /tmp' CONFIG_SECURE_LINK | |
2183 | bool 'Restricted FIFOs in /tmp' CONFIG_SECURE_FIFO | |
2184 | +if [ "$CONFIG_SECURE_LINK" = "y" -o "CONFIG_SECURE_FIFO" = "y" ]; then | |
2185 | + bool 'Allow links/fifos in non-world-writable +t dirs' CONFIG_SECURE_NOTSOMUCH | |
2186 | +fi | |
2187 | bool 'Restricted /proc' CONFIG_SECURE_PROC | |
2188 | bool 'Special handling of fd 0, 1, and 2' CONFIG_SECURE_FD_0_1_2 | |
2189 | bool 'Enforce RLIMIT_NPROC on execve(2)' CONFIG_SECURE_RLIMIT_NPROC | |
2190 | if [ "$CONFIG_SYSVIPC" = "y" ]; then | |
2191 | bool 'Destroy shared memory segments not in use' CONFIG_SECURE_SHM | |
2192 | +fi | |
2193 | +bool 'Unofficial bugfixes' CONFIG_SECURE_BUGFIX | |
2194 | +bool 'Extra logging of unusual events' CONFIG_SECURE_LOGGING | |
2195 | +bool 'Paranoid networking' CONFIG_SECURE_NETWORK | |
2196 | +if [ "$CONFIG_SECURE_NETWORK" = "y" ]; then | |
2197 | + bool 'Blackhole networking' CONFIG_SECURE_NET_SBD | |
2198 | +fi | |
2199 | +bool 'Restricted chroot' CONFIG_SECURE_CHROOT | |
2200 | +bool 'Restricted ptrace' CONFIG_SECURE_TRACE | |
2201 | +if [ "$CONFIG_SECURE_TRACE" == "y" ]; then | |
2202 | + bool ' Allow special group' CONFIG_SECURE_TRACE_USERGROUP | |
2203 | +fi | |
2204 | +if [ "$CONFIG_SYSCTL" == "y" ]; then | |
2205 | + bool 'Security Sysctl Support' CONFIG_SECURE_SYSCTL | |
2206 | fi |