]>
Commit | Line | Data |
---|---|---|
85213f0d KT |
1 | diff -urP linux-2.2.20-ow1/Documentation/Configure.help linux-2.2.20-hap-2/Documentation/Configure.help |
2 | --- linux-2.2.20-ow1/Documentation/Configure.help Sat Nov 3 13:14:57 2001 | |
3 | +++ linux-2.2.20-hap-2/Documentation/Configure.help Fri Nov 9 19:16:17 2001 | |
4 | @@ -15291,6 +15291,17 @@ | |
5 | same as that of the directory or the FIFO is opened without the | |
6 | O_CREAT flag. | |
7 | ||
8 | +Allow links/pipes in non-world-writable +t dirs | |
9 | +CONFIG_SECURE_NOTSOMUCH | |
10 | + This makes the checks that CONFIG_SECURE_LINK and CONFIG_SECURE_PIPE | |
11 | + perform a little less restrictive. Namely, links/pipes will work | |
12 | + again in +t directories if the directory is not world-writable. Most | |
13 | + sticky directories (such as /tmp) *are* world-writable, but you may | |
14 | + have other +t directories which are not (to make safe group-writable | |
15 | + shared upload directories, for instance). Say Y only if you have had | |
16 | + problems using the CONFIG_SECURE_LINK or CONFIG_SECURE_PIPE options | |
17 | + and you think you need this. | |
18 | + | |
19 | Restricted /proc | |
20 | CONFIG_SECURE_PROC | |
21 | This option restricts the permissions on directories in /proc so | |
22 | @@ -15302,6 +15313,13 @@ | |
23 | disables dmesg(8) for the users. You might want to use this on an ISP | |
24 | shell server where privacy is an issue. | |
25 | ||
26 | +Unofficial bugfixes | |
27 | +CONFIG_SECURE_BUGFIX | |
28 | + Currently this fixes the following bug: | |
29 | + * stracing an unreadable binary (ie mode 111). Note that there | |
30 | + are still ways to get around this at least on x86. | |
31 | + Say Y here unless you know you shouldn't. | |
32 | + | |
33 | Special handling of fd 0, 1, and 2 | |
34 | CONFIG_SECURE_FD_0_1_2 | |
35 | File descriptors 0, 1, and 2 have a special meaning for the C library | |
36 | @@ -15343,6 +15361,102 @@ | |
37 | Note that this feature will do you no good unless you also configure | |
38 | your resource limits (in particular, RLIMIT_AS and RLIMIT_NPROC). Most | |
39 | systems don't need this. | |
40 | + | |
41 | +Extra logging of unusual events | |
42 | +CONFIG_SECURE_LOGGING | |
43 | + This turns on some extra kernel logging. Right now this includes: | |
44 | + * some extra verbosity in the network layer (reporting about arp cache | |
45 | + changes, and complaining if someone tries to route through us and | |
46 | + we're not a router) | |
47 | + * also causes some packets that used to be dropped silently to get | |
48 | + whined about | |
49 | + * logs of who/what/when the system time changes | |
50 | + * logs when/why forks fail | |
51 | + * logs certain "lethal" signals: SIGSEGV, SIGBUS, SIGABRT, SIGILL | |
52 | + This is of limited use, and has some extra overhead, but isn't likely | |
53 | + to cause any problems. | |
54 | + | |
55 | +Paranoid networking | |
56 | +CONFIG_SECURE_NETWORK | |
57 | + This turns on some extra paranoia in tcp and udp net code. | |
58 | + Currently it does (or tries to): | |
59 | + * warns on packets to unserved UDP ports | |
60 | + * warns on packets to unserved TCP ports | |
61 | + * optionally, denies such packets (CONFIG_SECURE_NET_SBD) | |
62 | + * warns & denies TCP packets with invalid combinations of flags | |
63 | + * adds extra info to all IPFW log lines: | |
64 | + * length of TCP & data / UDP as well as IP length | |
65 | + * print TCP ACK and SEQ numbers in addition to IP ids | |
66 | + * prints all TCP flags set (Syn, Ack, Fin, Urg, etc) | |
67 | + It also hopefully banishes a longstanding bug with IPFW/IPchains | |
68 | + log printing when under heavy IO, where different printk'ed lines | |
69 | + step on each other/get truncated, etc. | |
70 | + Say Y unless you think it's breaking stuff (or you don't want the | |
71 | + log volume, which will be high on a busy server). | |
72 | + | |
73 | +Blackhole networking | |
74 | +CONFIG_SECURE_NET_SBD | |
75 | + When CONFIG_SECURE_NETWORK is enabled, this disables the usual | |
76 | + behavior of responding to unsolicited/"unserved" TCP packets with | |
77 | + a TCP RST, and to unserved UDP packets with an ICMP port-unreach. | |
78 | + Note that the UDP behavior is superfluous (can be easily done with | |
79 | + ipchains rules) but there's no convenient, desirable way to block | |
80 | + the RSTs other than this. This is recommended for personal systems | |
81 | + and low-volume servers. However, it is rude and breaks RFCs, so | |
82 | + it should be left off (the default behavior) for most systems, | |
83 | + unless you are *really* paranoid. | |
84 | + | |
85 | +Restricted chroot | |
86 | +CONFIG_SECURE_CHROOT | |
87 | + This causes chroot processes to be a bit more restricted. Processes | |
88 | + which are already in a chroot(2)ed jail now cannot: | |
89 | + * chroot(2) again | |
90 | + * mknod(2) a character or block device | |
91 | + * mount(2) new/remounted filesystems | |
92 | + * ptrace(2) processes outside their jail | |
93 | + * kill(2) processes outside their jail (except sending SIGCHLD to parent) | |
94 | + These are a _few_ of the ways that a root-priv'ed process can break | |
95 | + out of a chrooted jail. They are not all of them. Basically, if | |
96 | + someone has root in a chrooted jail, no can defend -- they've got you. | |
97 | + But, this may help you detect the most common things such an intruder | |
98 | + would do. The only way to win is not to play, however -- don't let | |
99 | + anything in a chrooted jail get root! Simple, right? ;) | |
100 | + This may break systems that use initrd, as that implies an original | |
101 | + chroot. Or not -- the "is this process chrooted" test compares the | |
102 | + root of the current process to that of init; this may not break under | |
103 | + initrd (I have no initrd'd boxes on which to test). | |
104 | + | |
105 | +Restricted ptrace | |
106 | +CONFIG_SECURE_TRACE | |
107 | + When enabled this disables system call tracing (ptrace) entirely for | |
108 | + non-root users. It also prevents tracing syscalls the kernel itself | |
109 | + makes, which can confuse some programs such as strace. When this | |
110 | + option is set, CONFIG_SECURE_TRACE_USERGROUP can be used to enable | |
111 | + ptrace/strace for only certain users. | |
112 | + This option will also cause the logging of any *allowed* ptrace calls. | |
113 | + | |
114 | +Restricted ptrace usergroup | |
115 | +CONFIG_SECURE_TRACE_USERGROUP | |
116 | + Use this option to allow tracing by a special group (defaults to 0). | |
117 | + Users in this group (or processes with this group as egid) can use | |
118 | + the ptrace system call--but only against their own processes, unless | |
119 | + they are root. The allowed group can be changed at runtime when | |
120 | + CONFIG_SECURE_SYSCTL is enabled, by | |
121 | + echo XX > /proc/sys/kernel/security/trace_gid | |
122 | + For a number of boring reasons, the recommended way to use this is to | |
123 | + create a dedicated 'ptrace' group, put only trusted users in it, and | |
124 | + chgrp ptrace /usr/bin/strace; chmod 2110 /usr/bin/strace | |
125 | + (And do the same for other ptrace-using apps they need to run.) | |
126 | + | |
127 | +Security Sysctl | |
128 | +CONFIG_SECURE_SYSCTL | |
129 | + If you say Y here, you will be able to change security options that | |
130 | + without having to recompile your kernel. You can echo values to | |
131 | + files in /proc/sys/kernel/security to enable (1) or disable (0) various | |
132 | + features or change runtime configurables like the ptrace-allow group. | |
133 | + All features are enabled by default (and default to root-only). | |
134 | + Please note that this option could reduce the effectiveness of the | |
135 | + added security policy. | |
136 | ||
137 | # | |
138 | # A couple of things I keep forgetting: | |
139 | diff -urP linux-2.2.20-ow1/Makefile linux-2.2.20-hap-2/Makefile | |
140 | --- linux-2.2.20-ow1/Makefile Fri Nov 2 11:39:05 2001 | |
141 | +++ linux-2.2.20-hap-2/Makefile Fri Nov 9 19:23:11 2001 | |
142 | @@ -1,7 +1,7 @@ | |
143 | VERSION = 2 | |
144 | PATCHLEVEL = 2 | |
145 | SUBLEVEL = 20 | |
146 | -EXTRAVERSION = | |
147 | +EXTRAVERSION = -hap-2 | |
148 | ||
149 | ARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/) | |
150 | ||
151 | diff -urP linux-2.2.20-ow1/arch/alpha/defconfig linux-2.2.20-hap-2/arch/alpha/defconfig | |
152 | --- linux-2.2.20-ow1/arch/alpha/defconfig Sat Nov 3 13:14:57 2001 | |
153 | +++ linux-2.2.20-hap-2/arch/alpha/defconfig Fri Nov 9 19:16:17 2001 | |
154 | @@ -333,10 +333,15 @@ | |
155 | # | |
156 | CONFIG_SECURE_LINK=y | |
157 | CONFIG_SECURE_FIFO=y | |
158 | -# CONFIG_SECURE_PROC is not set | |
159 | +CONFIG_SECURE_NOTSOMUCH=y | |
160 | +CONFIG_SECURE_PROC=y | |
161 | CONFIG_SECURE_FD_0_1_2=y | |
162 | CONFIG_SECURE_RLIMIT_NPROC=y | |
163 | # CONFIG_SECURE_SHM is not set | |
164 | +CONFIG_SECURE_LOGGING=y | |
165 | +CONFIG_SECURE_NETWORK=y | |
166 | +# CONFIG_SECURE_NET_SBD is not set | |
167 | +CONFIG_SECURE_CHROOT=y | |
168 | ||
169 | # | |
170 | # Kernel hacking | |
171 | diff -urP linux-2.2.20-ow1/arch/alpha/kernel/ptrace.c linux-2.2.20-hap-2/arch/alpha/kernel/ptrace.c | |
172 | --- linux-2.2.20-ow1/arch/alpha/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
173 | +++ linux-2.2.20-hap-2/arch/alpha/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
174 | @@ -517,6 +517,9 @@ | |
175 | sys_ptrace(long request, long pid, long addr, long data, | |
176 | int a4, int a5, struct pt_regs regs) | |
177 | { | |
178 | +#ifdef CONFIG_SECURE_TRACE | |
179 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
180 | +#endif | |
181 | struct task_struct *child; | |
182 | unsigned long tmp; | |
183 | long ret; | |
184 | @@ -555,6 +558,54 @@ | |
185 | /* the same process cannot be attached many times */ | |
186 | if (child->ptrace & PT_PTRACED) | |
187 | goto out; | |
188 | +#ifdef CONFIG_SECURE_CHROOT | |
189 | + if (!(hap_same_root_as_init(current)) && | |
190 | + !(hap_same_root(current, child)) ) { | |
191 | + /* | |
192 | + * This process is chrooted; don't let it ptrace | |
193 | + * any process not in the same jail with it | |
194 | + */ | |
195 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
196 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
197 | + "ptraces from a chrooted process", | |
198 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
199 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
200 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
201 | + current->p_pptr->uid, current->p_pptr->euid ); | |
202 | + goto out; | |
203 | + } | |
204 | +#endif | |
205 | +#ifdef CONFIG_SECURE_TRACE | |
206 | + if (sysctl_security_trace && current->uid | |
207 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
208 | + && current->egid != sysctl_security_trace_gid | |
209 | +#endif | |
210 | + ) { | |
211 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
212 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
213 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
214 | + "ptrace attempts", | |
215 | + child->comm, child->pid, current->comm, | |
216 | + current->pid, current->uid, | |
217 | + current->euid, current->gid, | |
218 | + current->egid, current->p_pptr->comm, | |
219 | + current->p_pptr->pid, current->p_pptr->uid, | |
220 | + current->p_pptr->euid, current->p_pptr->gid, | |
221 | + current->p_pptr->egid ); | |
222 | + goto out; | |
223 | + } | |
224 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
225 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
226 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
227 | + "ptraces", | |
228 | + child->comm, child->pid, current->comm, | |
229 | + current->pid, current->uid, | |
230 | + current->euid, current->gid, | |
231 | + current->egid, current->p_pptr->comm, | |
232 | + current->p_pptr->pid, current->p_pptr->uid, | |
233 | + current->p_pptr->euid, current->p_pptr->gid, | |
234 | + current->p_pptr->egid ); | |
235 | +#endif | |
236 | child->ptrace |= PT_PTRACED; | |
237 | if (child->p_pptr != current) { | |
238 | REMOVE_LINKS(child); | |
239 | @@ -684,11 +735,18 @@ | |
240 | } | |
241 | ||
242 | asmlinkage void | |
243 | -syscall_trace(void) | |
244 | +syscall_trace(int unused) | |
245 | { | |
246 | +#ifdef CONFIG_SECURE_TRACE | |
247 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
248 | +#endif | |
249 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
250 | != (PT_PTRACED|PT_TRACESYS)) | |
251 | return; | |
252 | +#ifdef CONFIG_SECURE_TRACE | |
253 | + if (!user_mode(regs)) | |
254 | + return; /* Don't trace the kernel's syscalls */ | |
255 | +#endif | |
256 | current->exit_code = SIGTRAP; | |
257 | current->state = TASK_STOPPED; | |
258 | notify_parent(current, SIGCHLD); | |
259 | diff -urP linux-2.2.20-ow1/arch/arm/defconfig linux-2.2.20-hap-2/arch/arm/defconfig | |
260 | --- linux-2.2.20-ow1/arch/arm/defconfig Sat Nov 3 13:14:57 2001 | |
261 | +++ linux-2.2.20-hap-2/arch/arm/defconfig Fri Nov 9 19:16:17 2001 | |
262 | @@ -488,10 +488,16 @@ | |
263 | # | |
264 | CONFIG_SECURE_LINK=y | |
265 | CONFIG_SECURE_FIFO=y | |
266 | -# CONFIG_SECURE_PROC is not set | |
267 | +CONFIG_SECURE_NOTSOMUCH=y | |
268 | +CONFIG_SECURE_PROC=y | |
269 | CONFIG_SECURE_FD_0_1_2=y | |
270 | CONFIG_SECURE_RLIMIT_NPROC=y | |
271 | # CONFIG_SECURE_SHM is not set | |
272 | +CONFIG_SECURE_BUGFIX=y | |
273 | +CONFIG_SECURE_LOGGING=y | |
274 | +CONFIG_SECURE_NETWORK=y | |
275 | +# CONFIG_SECURE_NET_SBD is not set | |
276 | +CONFIG_SECURE_CHROOT=y | |
277 | ||
278 | # | |
279 | # Kernel hacking | |
280 | diff -urP linux-2.2.20-ow1/arch/arm/kernel/ptrace.c linux-2.2.20-hap-2/arch/arm/kernel/ptrace.c | |
281 | --- linux-2.2.20-ow1/arch/arm/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
282 | +++ linux-2.2.20-hap-2/arch/arm/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
283 | @@ -792,6 +792,9 @@ | |
284 | ||
285 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
286 | { | |
287 | +#ifdef CONFIG_SECURE_TRACE | |
288 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
289 | +#endif | |
290 | struct task_struct *child; | |
291 | int ret; | |
292 | ||
293 | @@ -828,6 +831,54 @@ | |
294 | /* the same process cannot be attached many times */ | |
295 | if (child->ptrace & PT_PTRACED) | |
296 | goto out; | |
297 | +#ifdef CONFIG_SECURE_CHROOT | |
298 | + if (!(hap_same_root_as_init(current)) && | |
299 | + !(hap_same_root(current, child)) ) { | |
300 | + /* | |
301 | + * This process is chrooted; don't let it ptrace | |
302 | + * any process not in the same jail with it | |
303 | + */ | |
304 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
305 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
306 | + "ptraces from a chrooted process", | |
307 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
308 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
309 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
310 | + current->p_pptr->uid, current->p_pptr->euid ); | |
311 | + goto out; | |
312 | + } | |
313 | +#endif | |
314 | +#ifdef CONFIG_SECURE_TRACE | |
315 | + if (sysctl_security_trace && current->uid | |
316 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
317 | + && current->egid != sysctl_security_trace_gid | |
318 | +#endif | |
319 | + ) { | |
320 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
321 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
322 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
323 | + "ptrace attempts", | |
324 | + child->comm, child->pid, current->comm, | |
325 | + current->pid, current->uid, | |
326 | + current->euid, current->gid, | |
327 | + current->egid, current->p_pptr->comm, | |
328 | + current->p_pptr->pid, current->p_pptr->uid, | |
329 | + current->p_pptr->euid, current->p_pptr->gid, | |
330 | + current->p_pptr->egid ); | |
331 | + goto out; | |
332 | + } | |
333 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
334 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
335 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
336 | + "ptraces", | |
337 | + child->comm, child->pid, current->comm, | |
338 | + current->pid, current->uid, | |
339 | + current->euid, current->gid, | |
340 | + current->egid, current->p_pptr->comm, | |
341 | + current->p_pptr->pid, current->p_pptr->uid, | |
342 | + current->p_pptr->euid, current->p_pptr->gid, | |
343 | + current->p_pptr->egid ); | |
344 | +#endif | |
345 | child->ptrace |= PT_PTRACED; | |
346 | ||
347 | if (child->p_pptr != current) { | |
348 | @@ -855,12 +906,19 @@ | |
349 | return ret; | |
350 | } | |
351 | ||
352 | -asmlinkage void syscall_trace(void) | |
353 | +asmlinkage void syscall_trace(int unused) | |
354 | { | |
355 | +#ifdef CONFIG_SECURE_TRACE | |
356 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
357 | +#endif | |
358 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
359 | != (PT_PTRACED|PT_TRACESYS)) | |
360 | return; | |
361 | current->exit_code = SIGTRAP; | |
362 | +#ifdef CONFIG_SECURE_TRACE | |
363 | + if (!user_mode(regs)) | |
364 | + return; /* Don't trace the kernel's syscalls */ | |
365 | +#endif | |
366 | current->state = TASK_STOPPED; | |
367 | notify_parent(current, SIGCHLD); | |
368 | schedule(); | |
369 | diff -urP linux-2.2.20-ow1/arch/i386/defconfig linux-2.2.20-hap-2/arch/i386/defconfig | |
370 | --- linux-2.2.20-ow1/arch/i386/defconfig Sat Nov 3 13:14:57 2001 | |
371 | +++ linux-2.2.20-hap-2/arch/i386/defconfig Fri Nov 9 19:16:17 2001 | |
372 | @@ -427,11 +427,17 @@ | |
373 | CONFIG_SECURE_STACK_SMART=y | |
374 | CONFIG_SECURE_LINK=y | |
375 | CONFIG_SECURE_FIFO=y | |
376 | -# CONFIG_SECURE_PROC is not set | |
377 | +CONFIG_SECURE_NOTSOMUCH=y | |
378 | +CONFIG_SECURE_PROC=y | |
379 | CONFIG_SECURE_FD_0_1_2=y | |
380 | CONFIG_SECURE_RLIMIT_NPROC=y | |
381 | # CONFIG_SECURE_SHM is not set | |
382 | - | |
383 | +CONFIG_SECURE_BUGFIX=y | |
384 | +CONFIG_SECURE_LOGGING=y | |
385 | +CONFIG_SECURE_NETWORK=y | |
386 | +# CONFIG_SECURE_NET_SBD is not set | |
387 | +CONFIG_SECURE_CHROOT=y | |
388 | +CONFIG_SECURE_TRACE=y | |
389 | # | |
390 | # Kernel hacking | |
391 | # | |
392 | diff -urP linux-2.2.20-ow1/arch/i386/kernel/ptrace.c linux-2.2.20-hap-2/arch/i386/kernel/ptrace.c | |
393 | --- linux-2.2.20-ow1/arch/i386/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
394 | +++ linux-2.2.20-hap-2/arch/i386/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
395 | @@ -385,6 +385,9 @@ | |
396 | ||
397 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
398 | { | |
399 | +#ifdef CONFIG_SECURE_TRACE | |
400 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
401 | +#endif | |
402 | struct task_struct *child; | |
403 | struct user * dummy = NULL; | |
404 | unsigned long flags; | |
405 | @@ -425,6 +428,54 @@ | |
406 | /* the same process cannot be attached many times */ | |
407 | if (child->ptrace & PT_PTRACED) | |
408 | goto out; | |
409 | +#ifdef CONFIG_SECURE_CHROOT | |
410 | + if (!(hap_same_root_as_init(current)) && | |
411 | + !(hap_same_root(current, child)) ) { | |
412 | + /* | |
413 | + * This process is chrooted; don't let it ptrace | |
414 | + * any process not in the same jail with it | |
415 | + */ | |
416 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
417 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
418 | + "ptraces from a chrooted process", | |
419 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
420 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
421 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
422 | + current->p_pptr->uid, current->p_pptr->euid ); | |
423 | + goto out; | |
424 | + } | |
425 | +#endif | |
426 | +#ifdef CONFIG_SECURE_TRACE | |
427 | + if (sysctl_security_trace && current->uid | |
428 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
429 | + && current->egid != sysctl_security_trace_gid | |
430 | +#endif | |
431 | + ) { | |
432 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
433 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
434 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
435 | + "ptrace attempts", | |
436 | + child->comm, child->pid, current->comm, | |
437 | + current->pid, current->uid, | |
438 | + current->euid, current->gid, | |
439 | + current->egid, current->p_pptr->comm, | |
440 | + current->p_pptr->pid, current->p_pptr->uid, | |
441 | + current->p_pptr->euid, current->p_pptr->gid, | |
442 | + current->p_pptr->egid ); | |
443 | + goto out; | |
444 | + } | |
445 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
446 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
447 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
448 | + "ptraces", | |
449 | + child->comm, child->pid, current->comm, | |
450 | + current->pid, current->uid, | |
451 | + current->euid, current->gid, | |
452 | + current->egid, current->p_pptr->comm, | |
453 | + current->p_pptr->pid, current->p_pptr->uid, | |
454 | + current->p_pptr->euid, current->p_pptr->gid, | |
455 | + current->p_pptr->egid ); | |
456 | +#endif | |
457 | child->ptrace |= PT_PTRACED; | |
458 | ||
459 | write_lock_irqsave(&tasklist_lock, flags); | |
460 | @@ -708,11 +759,18 @@ | |
461 | return ret; | |
462 | } | |
463 | ||
464 | -asmlinkage void syscall_trace(void) | |
465 | +asmlinkage void syscall_trace(int unused) | |
466 | { | |
467 | +#ifdef CONFIG_SECURE_TRACE | |
468 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
469 | +#endif | |
470 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
471 | != (PT_PTRACED|PT_TRACESYS)) | |
472 | return; | |
473 | +#ifdef CONFIG_SECURE_TRACE | |
474 | + if (!user_mode(regs)) | |
475 | + return; /* Don't trace the kernel's syscalls */ | |
476 | +#endif | |
477 | current->exit_code = SIGTRAP; | |
478 | current->state = TASK_STOPPED; | |
479 | notify_parent(current, SIGCHLD); | |
480 | diff -urP linux-2.2.20-ow1/arch/i386/kernel/traps.c linux-2.2.20-hap-2/arch/i386/kernel/traps.c | |
481 | --- linux-2.2.20-ow1/arch/i386/kernel/traps.c Sat Nov 3 13:14:57 2001 | |
482 | +++ linux-2.2.20-hap-2/arch/i386/kernel/traps.c Fri Nov 9 19:16:17 2001 | |
483 | @@ -401,11 +401,13 @@ | |
484 | */ | |
485 | if ((addr & 0xFF800000) == 0xBF800000 || | |
486 | (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)) | |
487 | - security_alert("return onto stack running as " | |
488 | - "UID %d, EUID %d, process %s:%d", | |
489 | + security_alert("return onto stack by %s[%d], UID %d, " | |
490 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
491 | "returns onto stack", | |
492 | - current->uid, current->euid, | |
493 | - current->comm, current->pid); | |
494 | + current->comm, current->pid, current->uid, | |
495 | + current->euid, current->p_pptr->comm, | |
496 | + current->p_pptr->pid, current->p_pptr->uid, | |
497 | + current->p_pptr->euid); | |
498 | } | |
499 | ||
500 | #ifdef CONFIG_SECURE_STACK_SMART | |
501 | diff -urP linux-2.2.20-ow1/arch/m68k/defconfig linux-2.2.20-hap-2/arch/m68k/defconfig | |
502 | --- linux-2.2.20-ow1/arch/m68k/defconfig Sat Nov 3 13:14:57 2001 | |
503 | +++ linux-2.2.20-hap-2/arch/m68k/defconfig Fri Nov 9 19:16:17 2001 | |
504 | @@ -243,10 +243,15 @@ | |
505 | # | |
506 | CONFIG_SECURE_LINK=y | |
507 | CONFIG_SECURE_FIFO=y | |
508 | -# CONFIG_SECURE_PROC is not set | |
509 | +CONFIG_SECURE_NOTSOMUCH=y | |
510 | +CONFIG_SECURE_PROC=y | |
511 | CONFIG_SECURE_FD_0_1_2=y | |
512 | CONFIG_SECURE_RLIMIT_NPROC=y | |
513 | # CONFIG_SECURE_SHM is not set | |
514 | +CONFIG_SECURE_LOGGING=y | |
515 | +CONFIG_SECURE_NETWORK=y | |
516 | +# CONFIG_SECURE_NET_SBD is not set | |
517 | +CONFIG_SECURE_CHROOT=y | |
518 | ||
519 | # | |
520 | # Kernel hacking | |
521 | diff -urP linux-2.2.20-ow1/arch/m68k/kernel/ptrace.c linux-2.2.20-hap-2/arch/m68k/kernel/ptrace.c | |
522 | --- linux-2.2.20-ow1/arch/m68k/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
523 | +++ linux-2.2.20-hap-2/arch/m68k/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
524 | @@ -312,6 +312,9 @@ | |
525 | ||
526 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
527 | { | |
528 | +#ifdef CONFIG_SECURE_TRACE | |
529 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
530 | +#endif | |
531 | struct task_struct *child; | |
532 | unsigned long flags; | |
533 | int ret; | |
534 | @@ -351,6 +354,54 @@ | |
535 | /* the same process cannot be attached many times */ | |
536 | if (child->ptrace & PT_PTRACED) | |
537 | goto out; | |
538 | +#ifdef CONFIG_SECURE_CHROOT | |
539 | + if (!(hap_same_root_as_init(current)) && | |
540 | + !(hap_same_root(current, child)) ) { | |
541 | + /* | |
542 | + * This process is chrooted; don't let it ptrace | |
543 | + * any process not in the same jail with it | |
544 | + */ | |
545 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
546 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
547 | + "ptraces from a chrooted process", | |
548 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
549 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
550 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
551 | + current->p_pptr->uid, current->p_pptr->euid ); | |
552 | + goto out; | |
553 | + } | |
554 | +#endif | |
555 | +#ifdef CONFIG_SECURE_TRACE | |
556 | + if (sysctl_security_trace && current->uid | |
557 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
558 | + && current->egid != sysctl_security_trace_gid | |
559 | +#endif | |
560 | + ) { | |
561 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
562 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
563 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
564 | + "ptrace attempts", | |
565 | + child->comm, child->pid, current->comm, | |
566 | + current->pid, current->uid, | |
567 | + current->euid, current->gid, | |
568 | + current->egid, current->p_pptr->comm, | |
569 | + current->p_pptr->pid, current->p_pptr->uid, | |
570 | + current->p_pptr->euid, current->p_pptr->gid, | |
571 | + current->p_pptr->egid ); | |
572 | + goto out; | |
573 | + } | |
574 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
575 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
576 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
577 | + "ptraces", | |
578 | + child->comm, child->pid, current->comm, | |
579 | + current->pid, current->uid, | |
580 | + current->euid, current->gid, | |
581 | + current->egid, current->p_pptr->comm, | |
582 | + current->p_pptr->pid, current->p_pptr->uid, | |
583 | + current->p_pptr->euid, current->p_pptr->gid, | |
584 | + current->p_pptr->egid ); | |
585 | +#endif | |
586 | child->ptrace |= PT_PTRACED; | |
587 | ||
588 | write_lock_irqsave(&tasklist_lock, flags); | |
589 | @@ -604,13 +655,20 @@ | |
590 | return ret; | |
591 | } | |
592 | ||
593 | -asmlinkage void syscall_trace(void) | |
594 | +asmlinkage void syscall_trace(int unused) | |
595 | { | |
596 | +#ifdef CONFIG_SECURE_TRACE | |
597 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
598 | +#endif | |
599 | lock_kernel(); | |
600 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
601 | != (PT_PTRACED|PT_TRACESYS)) | |
602 | goto out; | |
603 | current->exit_code = SIGTRAP; | |
604 | +#ifdef CONFIG_SECURE_TRACE | |
605 | + if (!user_mode(regs)) | |
606 | + return; /* Don't trace the kernel's syscalls */ | |
607 | +#endif | |
608 | current->state = TASK_STOPPED; | |
609 | notify_parent(current, SIGCHLD); | |
610 | schedule(); | |
611 | diff -urP linux-2.2.20-ow1/arch/mips/defconfig linux-2.2.20-hap-2/arch/mips/defconfig | |
612 | --- linux-2.2.20-ow1/arch/mips/defconfig Sat Nov 3 13:14:57 2001 | |
613 | +++ linux-2.2.20-hap-2/arch/mips/defconfig Fri Nov 9 19:16:17 2001 | |
614 | @@ -369,10 +369,15 @@ | |
615 | # | |
616 | CONFIG_SECURE_LINK=y | |
617 | CONFIG_SECURE_FIFO=y | |
618 | -# CONFIG_SECURE_PROC is not set | |
619 | +CONFIG_SECURE_NOTSOMUCH=y | |
620 | +CONFIG_SECURE_PROC=y | |
621 | CONFIG_SECURE_FD_0_1_2=y | |
622 | CONFIG_SECURE_RLIMIT_NPROC=y | |
623 | # CONFIG_SECURE_SHM is not set | |
624 | +CONFIG_SECURE_LOGGING=y | |
625 | +CONFIG_SECURE_NETWORK=y | |
626 | +# CONFIG_SECURE_NET_SBD is not set | |
627 | +CONFIG_SECURE_CHROOT=y | |
628 | ||
629 | # | |
630 | # Kernel hacking | |
631 | diff -urP linux-2.2.20-ow1/arch/mips/kernel/ptrace.c linux-2.2.20-hap-2/arch/mips/kernel/ptrace.c | |
632 | --- linux-2.2.20-ow1/arch/mips/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
633 | +++ linux-2.2.20-hap-2/arch/mips/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
634 | @@ -258,6 +258,9 @@ | |
635 | ||
636 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
637 | { | |
638 | +#ifdef CONFIG_SECURE_TRACE | |
639 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
640 | +#endif | |
641 | struct task_struct *child; | |
642 | unsigned int flags; | |
643 | int res; | |
644 | @@ -308,6 +311,54 @@ | |
645 | /* the same process cannot be attached many times */ | |
646 | if (child->ptrace & PT_PTRACED) | |
647 | goto out; | |
648 | +#ifdef CONFIG_SECURE_CHROOT | |
649 | + if (!(hap_same_root_as_init(current)) && | |
650 | + !(hap_same_root(current, child)) ) { | |
651 | + /* | |
652 | + * This process is chrooted; don't let it ptrace | |
653 | + * any process not in the same jail with it | |
654 | + */ | |
655 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
656 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
657 | + "ptraces from a chrooted process", | |
658 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
659 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
660 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
661 | + current->p_pptr->uid, current->p_pptr->euid ); | |
662 | + goto out; | |
663 | + } | |
664 | +#endif | |
665 | +#ifdef CONFIG_SECURE_TRACE | |
666 | + if (sysctl_security_trace && current->uid | |
667 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
668 | + && current->egid != sysctl_security_trace_gid | |
669 | +#endif | |
670 | + ) { | |
671 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
672 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
673 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
674 | + "ptrace attempts", | |
675 | + child->comm, child->pid, current->comm, | |
676 | + current->pid, current->uid, | |
677 | + current->euid, current->gid, | |
678 | + current->egid, current->p_pptr->comm, | |
679 | + current->p_pptr->pid, current->p_pptr->uid, | |
680 | + current->p_pptr->euid, current->p_pptr->gid, | |
681 | + current->p_pptr->egid ); | |
682 | + goto out; | |
683 | + } | |
684 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
685 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
686 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
687 | + "ptraces", | |
688 | + child->comm, child->pid, current->comm, | |
689 | + current->pid, current->uid, | |
690 | + current->euid, current->gid, | |
691 | + current->egid, current->p_pptr->comm, | |
692 | + current->p_pptr->pid, current->p_pptr->uid, | |
693 | + current->p_pptr->euid, current->p_pptr->gid, | |
694 | + current->p_pptr->egid ); | |
695 | +#endif | |
696 | child->ptrace |= PT_PTRACED; | |
697 | ||
698 | write_lock_irqsave(&tasklist_lock, flags); | |
699 | @@ -520,11 +571,18 @@ | |
700 | return res; | |
701 | } | |
702 | ||
703 | -asmlinkage void syscall_trace(void) | |
704 | +asmlinkage void syscall_trace(int unused) | |
705 | { | |
706 | +#ifdef CONFIG_SECURE_TRACE | |
707 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
708 | +#endif | |
709 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
710 | != (PT_PTRACED|PT_TRACESYS)) | |
711 | return; | |
712 | +#ifdef CONFIG_SECURE_TRACE | |
713 | + if (!user_mode(regs)) | |
714 | + return; /* Don't trace the kernel's syscalls */ | |
715 | +#endif | |
716 | current->exit_code = SIGTRAP; | |
717 | current->state = TASK_STOPPED; | |
718 | notify_parent(current, SIGCHLD); | |
719 | diff -urP linux-2.2.20-ow1/arch/ppc/defconfig linux-2.2.20-hap-2/arch/ppc/defconfig | |
720 | --- linux-2.2.20-ow1/arch/ppc/defconfig Sat Nov 3 13:14:57 2001 | |
721 | +++ linux-2.2.20-hap-2/arch/ppc/defconfig Fri Nov 9 19:16:17 2001 | |
722 | @@ -499,10 +499,15 @@ | |
723 | # | |
724 | CONFIG_SECURE_LINK=y | |
725 | CONFIG_SECURE_FIFO=y | |
726 | -# CONFIG_SECURE_PROC is not set | |
727 | +CONFIG_SECURE_NOTSOMUCH=y | |
728 | +CONFIG_SECURE_PROC=y | |
729 | CONFIG_SECURE_FD_0_1_2=y | |
730 | CONFIG_SECURE_RLIMIT_NPROC=y | |
731 | # CONFIG_SECURE_SHM is not set | |
732 | +CONFIG_SECURE_LOGGING=y | |
733 | +CONFIG_SECURE_NETWORK=y | |
734 | +# CONFIG_SECURE_NET_SBD is not set | |
735 | +CONFIG_SECURE_CHROOT=y | |
736 | ||
737 | # | |
738 | # Kernel hacking | |
739 | diff -urP linux-2.2.20-ow1/arch/ppc/kernel/ptrace.c linux-2.2.20-hap-2/arch/ppc/kernel/ptrace.c | |
740 | --- linux-2.2.20-ow1/arch/ppc/kernel/ptrace.c Fri Nov 2 11:39:05 2001 | |
741 | +++ linux-2.2.20-hap-2/arch/ppc/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
742 | @@ -334,6 +334,9 @@ | |
743 | ||
744 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
745 | { | |
746 | +#ifdef CONFIG_SECURE_TRACE | |
747 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
748 | +#endif | |
749 | struct task_struct *child; | |
750 | int ret = -EPERM; | |
751 | unsigned long flags; | |
752 | @@ -372,6 +375,54 @@ | |
753 | /* the same process cannot be attached many times */ | |
754 | if (child->ptrace & PT_PTRACED) | |
755 | goto out; | |
756 | +#ifdef CONFIG_SECURE_CHROOT | |
757 | + if (!(hap_same_root_as_init(current)) && | |
758 | + !(hap_same_root(current, child)) ) { | |
759 | + /* | |
760 | + * This process is chrooted; don't let it ptrace | |
761 | + * any process not in the same jail with it | |
762 | + */ | |
763 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
764 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
765 | + "ptraces from a chrooted process", | |
766 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
767 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
768 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
769 | + current->p_pptr->uid, current->p_pptr->euid ); | |
770 | + goto out; | |
771 | + } | |
772 | +#endif | |
773 | +#ifdef CONFIG_SECURE_TRACE | |
774 | + if (sysctl_security_trace && current->uid | |
775 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
776 | + && current->egid != sysctl_security_trace_gid | |
777 | +#endif | |
778 | + ) { | |
779 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
780 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
781 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
782 | + "ptrace attempts", | |
783 | + child->comm, child->pid, current->comm, | |
784 | + current->pid, current->uid, | |
785 | + current->euid, current->gid, | |
786 | + current->egid, current->p_pptr->comm, | |
787 | + current->p_pptr->pid, current->p_pptr->uid, | |
788 | + current->p_pptr->euid, current->p_pptr->gid, | |
789 | + current->p_pptr->egid ); | |
790 | + goto out; | |
791 | + } | |
792 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
793 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
794 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
795 | + "ptraces", | |
796 | + child->comm, child->pid, current->comm, | |
797 | + current->pid, current->uid, | |
798 | + current->euid, current->gid, | |
799 | + current->egid, current->p_pptr->comm, | |
800 | + current->p_pptr->pid, current->p_pptr->uid, | |
801 | + current->p_pptr->euid, current->p_pptr->gid, | |
802 | + current->p_pptr->egid ); | |
803 | +#endif | |
804 | child->ptrace |= PT_PTRACED; | |
805 | ||
806 | write_lock_irqsave(&tasklist_lock, flags); | |
807 | @@ -539,11 +590,18 @@ | |
808 | return ret; | |
809 | } | |
810 | ||
811 | -asmlinkage void syscall_trace(void) | |
812 | +asmlinkage void syscall_trace(int unused) | |
813 | { | |
814 | +#ifdef CONFIG_SECURE_TRACE | |
815 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
816 | +#endif | |
817 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
818 | != (PT_PTRACED|PT_TRACESYS)) | |
819 | return; | |
820 | +#ifdef CONFIG_SECURE_TRACE | |
821 | + if (!user_mode(regs)) | |
822 | + return; /* Don't trace the kernel's syscalls */ | |
823 | +#endif | |
824 | current->exit_code = SIGTRAP; | |
825 | current->state = TASK_STOPPED; | |
826 | notify_parent(current, SIGCHLD); | |
827 | diff -urP linux-2.2.20-ow1/arch/s390/defconfig linux-2.2.20-hap-2/arch/s390/defconfig | |
828 | --- linux-2.2.20-ow1/arch/s390/defconfig Sat Nov 3 13:14:57 2001 | |
829 | +++ linux-2.2.20-hap-2/arch/s390/defconfig Fri Nov 9 19:16:17 2001 | |
830 | @@ -194,10 +194,15 @@ | |
831 | # | |
832 | CONFIG_SECURE_LINK=y | |
833 | CONFIG_SECURE_FIFO=y | |
834 | -# CONFIG_SECURE_PROC is not set | |
835 | +CONFIG_SECURE_NOTSOMUCH=y | |
836 | +CONFIG_SECURE_PROC=y | |
837 | CONFIG_SECURE_FD_0_1_2=y | |
838 | CONFIG_SECURE_RLIMIT_NPROC=y | |
839 | # CONFIG_SECURE_SHM is not set | |
840 | +CONFIG_SECURE_LOGGING=y | |
841 | +CONFIG_SECURE_NETWORK=y | |
842 | +# CONFIG_SECURE_NET_SBD is not set | |
843 | +CONFIG_SECURE_CHROOT=y | |
844 | ||
845 | # | |
846 | # Kernel hacking | |
847 | diff -urP linux-2.2.20-ow1/arch/s390/kernel/ptrace.c linux-2.2.20-hap-2/arch/s390/kernel/ptrace.c | |
848 | --- linux-2.2.20-ow1/arch/s390/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
849 | +++ linux-2.2.20-hap-2/arch/s390/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
850 | @@ -427,6 +427,9 @@ | |
851 | ||
852 | asmlinkage int sys_ptrace(long request, long pid, long addr, long data) | |
853 | { | |
854 | +#ifdef CONFIG_SECURE_TRACE | |
855 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
856 | +#endif | |
857 | struct task_struct *child; | |
858 | int ret = -EPERM; | |
859 | unsigned long tmp; | |
860 | @@ -461,6 +464,54 @@ | |
861 | /* the same process cannot be attached many times */ | |
862 | if (child->ptrace & PT_PTRACED) | |
863 | goto out; | |
864 | +#ifdef CONFIG_SECURE_CHROOT | |
865 | + if (!(hap_same_root_as_init(current)) && | |
866 | + !(hap_same_root(current, child)) ) { | |
867 | + /* | |
868 | + * This process is chrooted; don't let it ptrace | |
869 | + * any process not in the same jail with it | |
870 | + */ | |
871 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
872 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
873 | + "ptraces from a chrooted process", | |
874 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
875 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
876 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
877 | + current->p_pptr->uid, current->p_pptr->euid ); | |
878 | + goto out; | |
879 | + } | |
880 | +#endif | |
881 | +#ifdef CONFIG_SECURE_TRACE | |
882 | + if (sysctl_security_trace && current->uid | |
883 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
884 | + && current->egid != sysctl_security_trace_gid | |
885 | +#endif | |
886 | + ) { | |
887 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
888 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
889 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
890 | + "ptrace attempts", | |
891 | + child->comm, child->pid, current->comm, | |
892 | + current->pid, current->uid, | |
893 | + current->euid, current->gid, | |
894 | + current->egid, current->p_pptr->comm, | |
895 | + current->p_pptr->pid, current->p_pptr->uid, | |
896 | + current->p_pptr->euid, current->p_pptr->gid, | |
897 | + current->p_pptr->egid ); | |
898 | + goto out; | |
899 | + } | |
900 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
901 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
902 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
903 | + "ptraces", | |
904 | + child->comm, child->pid, current->comm, | |
905 | + current->pid, current->uid, | |
906 | + current->euid, current->gid, | |
907 | + current->egid, current->p_pptr->comm, | |
908 | + current->p_pptr->pid, current->p_pptr->uid, | |
909 | + current->p_pptr->euid, current->p_pptr->gid, | |
910 | + current->p_pptr->egid ); | |
911 | +#endif | |
912 | child->ptrace |= PT_PTRACED; | |
913 | if (child->p_pptr != current) | |
914 | { | |
915 | @@ -590,12 +641,19 @@ | |
916 | return ret; | |
917 | } | |
918 | ||
919 | -asmlinkage void syscall_trace(void) | |
920 | +asmlinkage void syscall_trace(int unused) | |
921 | { | |
922 | +#ifdef CONFIG_SECURE_TRACE | |
923 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
924 | +#endif | |
925 | lock_kernel(); | |
926 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
927 | != (PT_PTRACED|PT_TRACESYS)) | |
928 | goto out; | |
929 | +#ifdef CONFIG_SECURE_TRACE | |
930 | + if (!user_mode(regs)) | |
931 | + return; /* Don't trace the kernel's syscalls */ | |
932 | +#endif | |
933 | current->exit_code = SIGTRAP; | |
934 | current->state = TASK_STOPPED; | |
935 | notify_parent(current, SIGCHLD); | |
936 | diff -urP linux-2.2.20-ow1/arch/sparc/defconfig linux-2.2.20-hap-2/arch/sparc/defconfig | |
937 | --- linux-2.2.20-ow1/arch/sparc/defconfig Sat Nov 3 13:14:57 2001 | |
938 | +++ linux-2.2.20-hap-2/arch/sparc/defconfig Fri Nov 9 19:16:17 2001 | |
939 | @@ -340,10 +340,15 @@ | |
940 | # | |
941 | CONFIG_SECURE_LINK=y | |
942 | CONFIG_SECURE_FIFO=y | |
943 | -# CONFIG_SECURE_PROC is not set | |
944 | +CONFIG_SECURE_NOTSOMUCH=y | |
945 | +CONFIG_SECURE_PROC=y | |
946 | CONFIG_SECURE_FD_0_1_2=y | |
947 | CONFIG_SECURE_RLIMIT_NPROC=y | |
948 | # CONFIG_SECURE_SHM is not set | |
949 | +CONFIG_SECURE_LOGGING=y | |
950 | +CONFIG_SECURE_NETWORK=y | |
951 | +# CONFIG_SECURE_NET_SBD is not set | |
952 | +CONFIG_SECURE_CHROOT=y | |
953 | ||
954 | # | |
955 | # Kernel hacking | |
956 | diff -urP linux-2.2.20-ow1/arch/sparc/kernel/ptrace.c linux-2.2.20-hap-2/arch/sparc/kernel/ptrace.c | |
957 | --- linux-2.2.20-ow1/arch/sparc/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
958 | +++ linux-2.2.20-hap-2/arch/sparc/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
959 | @@ -508,6 +508,9 @@ | |
960 | ||
961 | asmlinkage void do_ptrace(struct pt_regs *regs) | |
962 | { | |
963 | +#ifdef CONFIG_SECURE_TRACE | |
964 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
965 | +#endif | |
966 | unsigned long request = regs->u_regs[UREG_I0]; | |
967 | unsigned long pid = regs->u_regs[UREG_I1]; | |
968 | unsigned long addr = regs->u_regs[UREG_I2]; | |
969 | @@ -582,6 +585,55 @@ | |
970 | pt_error_return(regs, EPERM); | |
971 | goto out; | |
972 | } | |
973 | +#ifdef CONFIG_SECURE_CHROOT | |
974 | + if (!(hap_same_root_as_init(current)) && | |
975 | + !(hap_same_root(current, child)) ) { | |
976 | + /* | |
977 | + * This process is chrooted; don't let it ptrace | |
978 | + * any process not in the same jail with it | |
979 | + */ | |
980 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
981 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
982 | + "ptraces from a chrooted process", | |
983 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
984 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
985 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
986 | + current->p_pptr->uid, current->p_pptr->euid ); | |
987 | + pt_error_return(regs, EPERM); | |
988 | + goto out; | |
989 | + } | |
990 | +#endif | |
991 | +#ifdef CONFIG_SECURE_TRACE | |
992 | + if (sysctl_security_trace && current->uid | |
993 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
994 | + && current->egid != sysctl_security_trace_gid | |
995 | +#endif | |
996 | + ) { | |
997 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
998 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
999 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1000 | + "ptrace attempts", | |
1001 | + child->comm, child->pid, current->comm, | |
1002 | + current->pid, current->uid, | |
1003 | + current->euid, current->gid, | |
1004 | + current->egid, current->p_pptr->comm, | |
1005 | + current->p_pptr->pid, current->p_pptr->uid, | |
1006 | + current->p_pptr->euid, current->p_pptr->gid, | |
1007 | + current->p_pptr->egid ); | |
1008 | + goto out; | |
1009 | + } | |
1010 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
1011 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1012 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1013 | + "ptraces", | |
1014 | + child->comm, child->pid, current->comm, | |
1015 | + current->pid, current->uid, | |
1016 | + current->euid, current->gid, | |
1017 | + current->egid, current->p_pptr->comm, | |
1018 | + current->p_pptr->pid, current->p_pptr->uid, | |
1019 | + current->p_pptr->euid, current->p_pptr->gid, | |
1020 | + current->p_pptr->egid ); | |
1021 | +#endif | |
1022 | child->ptrace |= PT_PTRACED; | |
1023 | write_lock_irqsave(&tasklist_lock, flags); | |
1024 | if(child->p_pptr != current) { | |
1025 | @@ -922,14 +974,21 @@ | |
1026 | unlock_kernel(); | |
1027 | } | |
1028 | ||
1029 | -asmlinkage void syscall_trace(void) | |
1030 | +asmlinkage void syscall_trace(int unused) | |
1031 | { | |
1032 | +#ifdef CONFIG_SECURE_TRACE | |
1033 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
1034 | +#endif | |
1035 | #ifdef DEBUG_PTRACE | |
1036 | printk("%s [%d]: syscall_trace\n", current->comm, current->pid); | |
1037 | #endif | |
1038 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
1039 | != (PT_PTRACED|PT_TRACESYS)) | |
1040 | return; | |
1041 | +#ifdef CONFIG_SECURE_TRACE | |
1042 | + if (!user_mode(regs)) | |
1043 | + return; /* Don't trace the kernel's syscalls */ | |
1044 | +#endif | |
1045 | current->exit_code = SIGTRAP; | |
1046 | current->state = TASK_STOPPED; | |
1047 | current->tss.flags ^= MAGIC_CONSTANT; | |
1048 | diff -urP linux-2.2.20-ow1/arch/sparc64/defconfig linux-2.2.20-hap-2/arch/sparc64/defconfig | |
1049 | --- linux-2.2.20-ow1/arch/sparc64/defconfig Sat Nov 3 13:14:57 2001 | |
1050 | +++ linux-2.2.20-hap-2/arch/sparc64/defconfig Fri Nov 9 19:16:17 2001 | |
1051 | @@ -391,10 +391,15 @@ | |
1052 | # | |
1053 | CONFIG_SECURE_LINK=y | |
1054 | CONFIG_SECURE_FIFO=y | |
1055 | -# CONFIG_SECURE_PROC is not set | |
1056 | +CONFIG_SECURE_NOTSOMUCH=y | |
1057 | +CONFIG_SECURE_PROC=y | |
1058 | CONFIG_SECURE_FD_0_1_2=y | |
1059 | CONFIG_SECURE_RLIMIT_NPROC=y | |
1060 | # CONFIG_SECURE_SHM is not set | |
1061 | +CONFIG_SECURE_LOGGING=y | |
1062 | +CONFIG_SECURE_NETWORK=y | |
1063 | +# CONFIG_SECURE_NET_SBD is not set | |
1064 | +CONFIG_SECURE_CHROOT=y | |
1065 | ||
1066 | # | |
1067 | # Watchdog | |
1068 | diff -urP linux-2.2.20-ow1/arch/sparc64/kernel/ptrace.c linux-2.2.20-hap-2/arch/sparc64/kernel/ptrace.c | |
1069 | --- linux-2.2.20-ow1/arch/sparc64/kernel/ptrace.c Fri Nov 2 11:39:06 2001 | |
1070 | +++ linux-2.2.20-hap-2/arch/sparc64/kernel/ptrace.c Fri Nov 9 19:16:17 2001 | |
1071 | @@ -537,6 +537,9 @@ | |
1072 | ||
1073 | asmlinkage void do_ptrace(struct pt_regs *regs) | |
1074 | { | |
1075 | +#ifdef CONFIG_SECURE_TRACE | |
1076 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
1077 | +#endif | |
1078 | int request = regs->u_regs[UREG_I0]; | |
1079 | pid_t pid = regs->u_regs[UREG_I1]; | |
1080 | unsigned long addr = regs->u_regs[UREG_I2]; | |
1081 | @@ -620,6 +623,55 @@ | |
1082 | pt_error_return(regs, EPERM); | |
1083 | goto out; | |
1084 | } | |
1085 | +#ifdef CONFIG_SECURE_CHROOT | |
1086 | + if (!(hap_same_root_as_init(current)) && | |
1087 | + !(hap_same_root(current, child)) ) { | |
1088 | + /* | |
1089 | + * This process is chrooted; don't let it ptrace | |
1090 | + * any process not in the same jail with it | |
1091 | + */ | |
1092 | + security_alert("denied ptrace of %s[%d] within chrooted " | |
1093 | + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1094 | + "ptraces from a chrooted process", | |
1095 | + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), | |
1096 | + current->fs->root->d_inode->i_ino, current->comm, current->pid, | |
1097 | + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, | |
1098 | + current->p_pptr->uid, current->p_pptr->euid ); | |
1099 | + pt_error_return(regs, EPERM); | |
1100 | + goto out; | |
1101 | + } | |
1102 | +#endif | |
1103 | +#ifdef CONFIG_SECURE_TRACE | |
1104 | + if (sysctl_security_trace && current->uid | |
1105 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1106 | + && current->egid != sysctl_security_trace_gid | |
1107 | +#endif | |
1108 | + ) { | |
1109 | + security_alert("denied ptrace of %s[%d] by %s[%d], " | |
1110 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1111 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1112 | + "ptrace attempts", | |
1113 | + child->comm, child->pid, current->comm, | |
1114 | + current->pid, current->uid, | |
1115 | + current->euid, current->gid, | |
1116 | + current->egid, current->p_pptr->comm, | |
1117 | + current->p_pptr->pid, current->p_pptr->uid, | |
1118 | + current->p_pptr->euid, current->p_pptr->gid, | |
1119 | + current->p_pptr->egid ); | |
1120 | + goto out; | |
1121 | + } | |
1122 | + security_alert("ptrace of %s[%d] by %s[%d], " | |
1123 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1124 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1125 | + "ptraces", | |
1126 | + child->comm, child->pid, current->comm, | |
1127 | + current->pid, current->uid, | |
1128 | + current->euid, current->gid, | |
1129 | + current->egid, current->p_pptr->comm, | |
1130 | + current->p_pptr->pid, current->p_pptr->uid, | |
1131 | + current->p_pptr->euid, current->p_pptr->gid, | |
1132 | + current->p_pptr->egid ); | |
1133 | +#endif | |
1134 | child->ptrace |= PT_PTRACED; | |
1135 | write_lock_irqsave(&tasklist_lock, flags); | |
1136 | if(child->p_pptr != current) { | |
1137 | @@ -1134,14 +1186,21 @@ | |
1138 | unlock_kernel(); | |
1139 | } | |
1140 | ||
1141 | -asmlinkage void syscall_trace(void) | |
1142 | +asmlinkage void syscall_trace(int unused) | |
1143 | { | |
1144 | +#ifdef CONFIG_SECURE_TRACE | |
1145 | + struct pt_regs *regs = (struct pt_regs *) &unused; | |
1146 | +#endif | |
1147 | #ifdef DEBUG_PTRACE | |
1148 | printk("%s [%d]: syscall_trace\n", current->comm, current->pid); | |
1149 | #endif | |
1150 | if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) | |
1151 | != (PT_PTRACED|PT_TRACESYS)) | |
1152 | return; | |
1153 | +#ifdef CONFIG_SECURE_TRACE | |
1154 | + if (!user_mode(regs)) | |
1155 | + return; /* Don't trace the kernel's syscalls */ | |
1156 | +#endif | |
1157 | current->exit_code = SIGTRAP; | |
1158 | current->state = TASK_STOPPED; | |
1159 | current->tss.flags ^= MAGIC_CONSTANT; | |
1160 | diff -urP linux-2.2.20-ow1/fs/exec.c linux-2.2.20-hap-2/fs/exec.c | |
1161 | --- linux-2.2.20-ow1/fs/exec.c Sat Nov 3 13:14:57 2001 | |
1162 | +++ linux-2.2.20-hap-2/fs/exec.c Sat Nov 10 02:37:07 2001 | |
1163 | @@ -674,6 +674,9 @@ | |
1164 | */ | |
1165 | int prepare_binprm(struct linux_binprm *bprm) | |
1166 | { | |
1167 | +#ifdef CONFIG_SECURE_TRACE | |
1168 | + extern int sysctl_security_trace, sysctl_security_trace_gid; | |
1169 | +#endif | |
1170 | int mode; | |
1171 | int retval,id_change,cap_raised; | |
1172 | struct inode * inode = bprm->dentry->d_inode; | |
1173 | @@ -778,7 +781,55 @@ | |
1174 | return retval; | |
1175 | #endif | |
1176 | } | |
1177 | - | |
1178 | +/* Total mess of ifdef's follow. */ | |
1179 | +#if defined(CONFIG_SECURE_BUGFIX) || defined(CONFIG_SECURE_TRACE) | |
1180 | + /* ptraced executables must be readable */ | |
1181 | + if (current->ptrace & PT_PTRACED) { | |
1182 | +#ifdef CONFIG_SECURE_TRACE | |
1183 | + if (sysctl_security_trace && current->uid | |
1184 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1185 | + && current->egid != sysctl_security_trace_gid | |
1186 | +#endif | |
1187 | + ) { | |
1188 | + security_alert("denied ptrace of %s by %s[%d], " | |
1189 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1190 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1191 | + "ptrace attempts", | |
1192 | + bprm->filename, current->comm, current->pid, current->uid, | |
1193 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1194 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1195 | + current->p_pptr->gid, current->p_pptr->egid); | |
1196 | + return -EPERM; | |
1197 | + } | |
1198 | +#endif /* CONFIG_SECURE_TRACE */ | |
1199 | +#ifdef CONFIG_SECURE_BUGFIX | |
1200 | + if ((retval = permission(bprm->dentry->d_inode, MAY_READ)) != 0) { | |
1201 | +#ifdef CONFIG_SECURE_LOGGING | |
1202 | + security_alert("refused ptrace of unreadable executable %s by " | |
1203 | + "%s[%d], UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1204 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1205 | + "unreadable executables ptraced", | |
1206 | + bprm->filename, current->comm, current->pid, current->uid, | |
1207 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1208 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1209 | + current->p_pptr->gid, current->p_pptr->egid); | |
1210 | +#endif /* CONFIG_SECURE_LOGGING */ | |
1211 | + return -EPERM; | |
1212 | + } | |
1213 | +#endif /* CONFIG_SECURE_BUGFIX */ | |
1214 | +#ifdef CONFIG_SECURE_TRACE | |
1215 | + /* log all permitted ptrace's */ | |
1216 | + security_alert("ptrace of %s by %s[%d], " | |
1217 | + "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], " | |
1218 | + "UID/EUID %d/%d, GID/EGID %d/%d", | |
1219 | + "ptraces", | |
1220 | + bprm->filename, current->comm, current->pid, current->uid, | |
1221 | + current->euid, current->gid, current->egid, current->p_pptr->comm, | |
1222 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1223 | + current->p_pptr->gid, current->p_pptr->egid); | |
1224 | +#endif /* CONFIG_SECURE_TRACE */ | |
1225 | + } | |
1226 | +#endif /* CONFIG_SECURE_BUGFIX || CONFIG_SECURE_TRACE */ | |
1227 | memset(bprm->buf,0,sizeof(bprm->buf)); | |
1228 | return read_exec(bprm->dentry,0,bprm->buf,128,1); | |
1229 | } | |
1230 | @@ -946,6 +997,22 @@ | |
1231 | int retval; | |
1232 | int i; | |
1233 | ||
1234 | +#ifdef CONFIG_SECURE_CHROOT | |
1235 | + if (!(hap_same_root_as_init(current))) { | |
1236 | + /* | |
1237 | + * This process is in a chrooted jail; log everything it exec's | |
1238 | + */ | |
1239 | + security_alert("exec of %s within chrooted jail [%s]:%lu by " | |
1240 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1241 | + "execs from a chrooted process", | |
1242 | + filename, kdevname(current->fs->root->d_inode->i_dev), | |
1243 | + current->fs->root->d_inode->i_ino,current->comm, | |
1244 | + current->pid,current->uid, current->euid, | |
1245 | + current->p_pptr->comm, current->p_pptr->pid, | |
1246 | + current->p_pptr->uid, current->p_pptr->euid ); | |
1247 | + } | |
1248 | +#endif /* CONFIG_SECURE_CHROOT */ | |
1249 | + | |
1250 | #ifdef CONFIG_SECURE_RLIMIT_NPROC | |
1251 | /* | |
1252 | * This check is similar to that done in kernel/fork.c, except that we | |
1253 | diff -urP linux-2.2.20-ow1/fs/namei.c linux-2.2.20-hap-2/fs/namei.c | |
1254 | --- linux-2.2.20-ow1/fs/namei.c Sat Nov 3 13:14:57 2001 | |
1255 | +++ linux-2.2.20-hap-2/fs/namei.c Fri Nov 9 19:16:17 2001 | |
1256 | @@ -306,18 +306,28 @@ | |
1257 | if (S_ISLNK(inode->i_mode) && | |
1258 | (base->d_inode->i_mode & S_ISVTX) && | |
1259 | inode->i_uid != base->d_inode->i_uid && | |
1260 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1261 | + /* | |
1262 | + * Let this happen as long as the +t dir is | |
1263 | + * not world-writable. | |
1264 | + */ | |
1265 | + (base->d_inode->i_mode & S_IWOTH) && | |
1266 | +#endif | |
1267 | current->fsuid != inode->i_uid) { | |
1268 | - security_alert("not followed symlink of %d.%d " | |
1269 | - "by UID %d, EUID %d, process %s:%d", | |
1270 | + security_alert("not followed symlink of [%s]:%lu " | |
1271 | + "owned by %d.%d by %s[%d], UID %d, " | |
1272 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1273 | "symlinks not followed", | |
1274 | - inode->i_uid, inode->i_gid, | |
1275 | - current->uid, current->euid, | |
1276 | - current->comm, current->pid); | |
1277 | + kdevname(inode->i_dev), inode->i_ino, | |
1278 | + inode->i_uid, inode->i_gid, current->comm, | |
1279 | + current->pid, current->uid, current->euid, | |
1280 | + current->p_pptr->comm, current->p_pptr->pid, | |
1281 | + current->p_pptr->uid, current->p_pptr->euid); | |
1282 | dput(dentry); | |
1283 | dput(base); | |
1284 | return ERR_PTR(-EACCES); | |
1285 | } | |
1286 | -#endif | |
1287 | +#endif /* CONFIG_SECURE_LINK */ | |
1288 | ||
1289 | if (current->need_resched) { | |
1290 | current->state = TASK_RUNNING; | |
1291 | @@ -756,19 +766,28 @@ | |
1292 | if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && | |
1293 | (dir->d_inode->i_mode & S_ISVTX) && | |
1294 | inode->i_uid != dir->d_inode->i_uid && | |
1295 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1296 | + /* | |
1297 | + * Let this happen as long as the +t dir isn't world-writable | |
1298 | + */ | |
1299 | + (dir->d_inode->i_mode & S_IWOTH) && | |
1300 | +#endif | |
1301 | current->fsuid != inode->i_uid) { | |
1302 | if (!permission(inode, acc_mode)) | |
1303 | - security_alert("denied writing FIFO of %d.%d " | |
1304 | - "by UID %d, EUID %d, process %s:%d", | |
1305 | + security_alert("denied writing FIFO [%s]:%lu owned " | |
1306 | + "by %d.%d by %s[%d], UID %d, EUID %d, parent " | |
1307 | + "%s[%d], UID %d, EUID %d", | |
1308 | "writes into a FIFO denied", | |
1309 | - inode->i_uid, inode->i_gid, | |
1310 | - current->uid, current->euid, | |
1311 | - current->comm, current->pid); | |
1312 | + kdevname(inode->i_dev), inode->i_ino, | |
1313 | + inode->i_uid, inode->i_gid, current->comm, | |
1314 | + current->pid, current->uid, current->euid, | |
1315 | + current->p_pptr->comm, current->p_pptr->pid, | |
1316 | + current->p_pptr->uid, current->p_pptr->euid); | |
1317 | error = -EACCES; | |
1318 | unlock_dir(dir); | |
1319 | goto exit; | |
1320 | } | |
1321 | -#endif | |
1322 | +#endif /* CONFIG_SECURE_FIFO */ | |
1323 | ||
1324 | /* | |
1325 | * Somebody might have created the file while we | |
1326 | @@ -909,6 +928,10 @@ | |
1327 | { | |
1328 | int error; | |
1329 | char * tmp; | |
1330 | + struct dentry * dentry; | |
1331 | +#ifdef CONFIG_SECURE_CHROOT | |
1332 | + char hap_dev_mode; | |
1333 | +#endif | |
1334 | ||
1335 | lock_kernel(); | |
1336 | error = -EPERM; | |
1337 | @@ -927,7 +950,41 @@ | |
1338 | tmp = getname(filename); | |
1339 | error = PTR_ERR(tmp); | |
1340 | if (!IS_ERR(tmp)) { | |
1341 | - struct dentry * dentry = do_mknod(tmp,mode,dev); | |
1342 | +#ifdef CONFIG_SECURE_CHROOT | |
1343 | + if (!S_ISFIFO(mode)) { | |
1344 | + if (!(hap_same_root_as_init(current))) { | |
1345 | + /* | |
1346 | + * This process is in a chrooted jail; don't let it | |
1347 | + * make a raw device through which to break out (by | |
1348 | + * double-mounting an fs, reading kmem, kybd, etc) | |
1349 | + */ | |
1350 | + switch (mode & S_IFMT) { | |
1351 | + case S_IFREG: hap_dev_mode = 'r'; break; | |
1352 | + case S_IFCHR: hap_dev_mode = 'c'; break; | |
1353 | + case S_IFBLK: hap_dev_mode = 'b'; break; | |
1354 | + case S_IFSOCK: hap_dev_mode = 's'; break; | |
1355 | + default: hap_dev_mode = 'u'; | |
1356 | + } | |
1357 | + security_alert("refused attempt to mknod %c:[%s] (%s) " | |
1358 | + "from chrooted jail [%s]:%lu owned by %d.%d by " | |
1359 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " | |
1360 | + "%d, EUID %d", | |
1361 | + "chrooted mknods denied", | |
1362 | + hap_dev_mode, kdevname(dev), tmp, | |
1363 | + kdevname(current->fs->root->d_inode->i_dev), | |
1364 | + current->fs->root->d_inode->i_ino, | |
1365 | + current->fs->root->d_inode->i_uid, | |
1366 | + current->fs->root->d_inode->i_gid, current->comm, | |
1367 | + current->pid, current->uid, current->euid, | |
1368 | + current->p_pptr->comm, current->p_pptr->pid, | |
1369 | + current->p_pptr->uid, current->p_pptr->euid); | |
1370 | + putname(tmp); | |
1371 | + error = -EPERM; | |
1372 | + goto out; | |
1373 | + } | |
1374 | + } | |
1375 | +#endif | |
1376 | + dentry = do_mknod(tmp,mode,dev); | |
1377 | putname(tmp); | |
1378 | error = PTR_ERR(dentry); | |
1379 | if (!IS_ERR(dentry)) { | |
1380 | @@ -1258,13 +1315,21 @@ | |
1381 | ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || | |
1382 | (error = permission(inode, MAY_READ | MAY_WRITE))) && | |
1383 | !capable(CAP_FOWNER) && | |
1384 | +#ifdef CONFIG_SECURE_NOTSOMUCH | |
1385 | + /* | |
1386 | + * Let users hard link to files in their group. | |
1387 | + */ | |
1388 | + current->fsgid != inode->i_gid && | |
1389 | +#endif | |
1390 | current->uid) { | |
1391 | - security_alert("denied hard link to %d.%d " | |
1392 | - "for UID %d, EUID %d, process %s:%d", | |
1393 | + security_alert("denied hard link to [%s]:%lu owned by %d.%d " | |
1394 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1395 | "hard links denied", | |
1396 | + kdevname(inode->i_dev), inode->i_ino, | |
1397 | inode->i_uid, inode->i_gid, | |
1398 | - current->uid, current->euid, | |
1399 | - current->comm, current->pid); | |
1400 | + current->comm, current->pid, current->uid, current->euid, | |
1401 | + current->p_pptr->comm, current->p_pptr->pid, | |
1402 | + current->p_pptr->uid, current->p_pptr->euid); | |
1403 | goto exit_lock; | |
1404 | } | |
1405 | #endif | |
1406 | diff -urP linux-2.2.20-ow1/fs/open.c linux-2.2.20-hap-2/fs/open.c | |
1407 | --- linux-2.2.20-ow1/fs/open.c Fri Nov 2 11:39:08 2001 | |
1408 | +++ linux-2.2.20-hap-2/fs/open.c Fri Nov 9 19:16:17 2001 | |
1409 | @@ -402,6 +402,9 @@ | |
1410 | int error; | |
1411 | struct inode *inode; | |
1412 | struct dentry *dentry, *tmp; | |
1413 | +#ifdef CONFIG_SECURE_CHROOT | |
1414 | + char * hap_new_chroot_path; | |
1415 | +#endif | |
1416 | ||
1417 | lock_kernel(); | |
1418 | ||
1419 | @@ -423,11 +426,55 @@ | |
1420 | error = -EPERM; | |
1421 | if (!capable(CAP_SYS_CHROOT)) | |
1422 | goto dput_and_out; | |
1423 | +#ifdef CONFIG_SECURE_CHROOT | |
1424 | + if (!(hap_same_root_as_init(current))) { | |
1425 | + /* | |
1426 | + * This process is already in a chrooted jail; don't let it chroot out. | |
1427 | + */ | |
1428 | + if (IS_ERR(hap_new_chroot_path = getname(filename))) | |
1429 | + hap_new_chroot_path = "[err]"; | |
1430 | + security_alert("refused attempt to chroot from [%s]:%lu to " | |
1431 | + "[%s]:%lu (%s) owned by %d.%d, process %s[%d], UID %d, " | |
1432 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1433 | + "double chroots denied", | |
1434 | + kdevname(current->fs->root->d_inode->i_dev), | |
1435 | + current->fs->root->d_inode->i_ino, | |
1436 | + kdevname(inode->i_dev), inode->i_ino, hap_new_chroot_path, | |
1437 | + inode->i_uid, inode->i_gid, | |
1438 | + current->comm, current->pid, current->uid, current->euid, | |
1439 | + current->p_pptr->comm, current->p_pptr->pid, | |
1440 | + current->p_pptr->uid, current->p_pptr->euid); | |
1441 | + putname(hap_new_chroot_path); | |
1442 | + error = -EPERM; | |
1443 | + goto dput_and_out; | |
1444 | + } | |
1445 | +#endif | |
1446 | ||
1447 | /* exchange dentries */ | |
1448 | tmp = current->fs->root; | |
1449 | current->fs->root = dentry; | |
1450 | dentry = tmp; | |
1451 | +#ifdef CONFIG_SECURE_CHROOT | |
1452 | + /* drop various dangerous capabilities when chrooting | |
1453 | + * note init is exempt for initrd-type games */ | |
1454 | + if (current->pid && current->pid > 1) { | |
1455 | + cap_lower(current->cap_permitted, | |
1456 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1457 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1458 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1459 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1460 | + cap_lower(current->cap_inheritable, | |
1461 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1462 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1463 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1464 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1465 | + cap_lower(current->cap_effective, | |
1466 | + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & | |
1467 | + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & | |
1468 | + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & | |
1469 | + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); | |
1470 | + } | |
1471 | +#endif | |
1472 | error = 0; | |
1473 | ||
1474 | dput_and_out: | |
1475 | @@ -464,6 +511,31 @@ | |
1476 | goto out_putf; | |
1477 | if (mode == (mode_t) -1) | |
1478 | mode = inode->i_mode; | |
1479 | +#ifdef CONFIG_SECURE_CHROOT | |
1480 | + if ((mode & S_ISUID) || (mode & S_ISGID)) { | |
1481 | + if (!(hap_same_root_as_init(current))) { | |
1482 | + /* | |
1483 | + * This process is chrooted; don't let it turn on the set[ug]id bits. | |
1484 | + */ | |
1485 | + security_alert("refused attempt to fchmod +s [%s]:%lu " | |
1486 | + "owned by %d.%d to mode 0%07o from chrooted jail " | |
1487 | + "[%s]:%lu owned by %d.%d by %s[%d], UID %d, EUID " | |
1488 | + "%d, parent %s[%d], UID %d, EUID %d", | |
1489 | + "chrooted fchmod +s's denied", | |
1490 | + kdevname(inode->i_dev), inode->i_ino, | |
1491 | + inode->i_uid, inode->i_gid, mode, | |
1492 | + kdevname(current->fs->root->d_inode->i_dev), | |
1493 | + current->fs->root->d_inode->i_ino, | |
1494 | + current->fs->root->d_inode->i_uid, | |
1495 | + current->fs->root->d_inode->i_gid, current->comm, | |
1496 | + current->pid, current->uid, current->euid, | |
1497 | + current->p_pptr->comm, current->p_pptr->pid, | |
1498 | + current->p_pptr->uid, current->p_pptr->euid); | |
1499 | + err = -EPERM; | |
1500 | + goto out_putf; | |
1501 | + } | |
1502 | + } | |
1503 | +#endif | |
1504 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
1505 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
1506 | err = notify_change(dentry, &newattrs); | |
1507 | @@ -481,6 +553,9 @@ | |
1508 | struct inode * inode; | |
1509 | int error; | |
1510 | struct iattr newattrs; | |
1511 | +#ifdef CONFIG_SECURE_CHROOT | |
1512 | + char * hap_chmod_filename; | |
1513 | +#endif | |
1514 | ||
1515 | lock_kernel(); | |
1516 | dentry = namei(filename); | |
1517 | @@ -500,6 +575,34 @@ | |
1518 | ||
1519 | if (mode == (mode_t) -1) | |
1520 | mode = inode->i_mode; | |
1521 | +#ifdef CONFIG_SECURE_CHROOT | |
1522 | + if ((mode & S_ISUID) || (mode & S_ISGID)) { | |
1523 | + if (!(hap_same_root_as_init(current))) { | |
1524 | + /* | |
1525 | + * This process is chrooted; don't let it turn on the set[gu]id bits. | |
1526 | + */ | |
1527 | + if (IS_ERR(hap_chmod_filename = getname(filename))) | |
1528 | + hap_chmod_filename = "[err]"; | |
1529 | + security_alert("refused attempt to chmod +s [%s]:%lu " | |
1530 | + "(%s) owned by %d.%d to mode 0%07o from chrooted " | |
1531 | + "jail [%s]:%lu owned by %d.%d by %s[%d], UID %d, " | |
1532 | + "EUID %d, parent %s[%d], UID %d, EUID %d", | |
1533 | + "chrooted chmod +s's denied", | |
1534 | + kdevname(inode->i_dev), inode->i_ino, hap_chmod_filename, | |
1535 | + inode->i_uid, inode->i_gid, mode, | |
1536 | + kdevname(current->fs->root->d_inode->i_dev), | |
1537 | + current->fs->root->d_inode->i_ino, | |
1538 | + current->fs->root->d_inode->i_uid, | |
1539 | + current->fs->root->d_inode->i_gid, current->comm, | |
1540 | + current->pid, current->uid, current->euid, | |
1541 | + current->p_pptr->comm, current->p_pptr->pid, | |
1542 | + current->p_pptr->uid, current->p_pptr->euid); | |
1543 | + putname(hap_chmod_filename); | |
1544 | + error = -EPERM; | |
1545 | + goto dput_and_out; | |
1546 | + } | |
1547 | + } | |
1548 | +#endif | |
1549 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
1550 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
1551 | error = notify_change(dentry, &newattrs); | |
1552 | diff -urP linux-2.2.20-ow1/fs/super.c linux-2.2.20-hap-2/fs/super.c | |
1553 | --- linux-2.2.20-ow1/fs/super.c Fri Nov 2 11:39:08 2001 | |
1554 | +++ linux-2.2.20-hap-2/fs/super.c Fri Nov 9 19:16:17 2001 | |
1555 | @@ -36,6 +36,10 @@ | |
1556 | #include <linux/kmod.h> | |
1557 | #endif | |
1558 | ||
1559 | +#ifdef CONFIG_SECURE_CHROOT | |
1560 | +#include <linux/sched.h> | |
1561 | +#endif | |
1562 | + | |
1563 | /* | |
1564 | * We use a semaphore to synchronize all mount/umount | |
1565 | * activity - imagine the mess if we have a race between | |
1566 | @@ -1045,10 +1049,42 @@ | |
1567 | unsigned long flags = 0; | |
1568 | unsigned long page = 0; | |
1569 | struct file dummy; /* allows read-write or read-only flag */ | |
1570 | +#ifdef CONFIG_SECURE_CHROOT | |
1571 | + char * hap_mount_dev; | |
1572 | + char * hap_mount_path; | |
1573 | +#endif | |
1574 | ||
1575 | lock_kernel(); | |
1576 | if (!capable(CAP_SYS_ADMIN)) | |
1577 | goto out; | |
1578 | +#ifdef CONFIG_SECURE_CHROOT | |
1579 | + if (!(hap_same_root_as_init(current))) { | |
1580 | + /* | |
1581 | + * This process is in a chrooted jail; don't let it (re)mount any filesystems. | |
1582 | + */ | |
1583 | + if(IS_ERR(hap_mount_dev = getname(dev_name))) | |
1584 | + hap_mount_dev = "nodev"; | |
1585 | + if(IS_ERR(hap_mount_path = getname(dir_name))) | |
1586 | + hap_mount_path = "[err]"; | |
1587 | + security_alert("refused attempt to mount [%s] as %s " | |
1588 | + "from chrooted jail [%s]:%lu owned by %d.%d by " | |
1589 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " | |
1590 | + "%d, EUID %d", | |
1591 | + "chrooted mounts denied", | |
1592 | + hap_mount_dev, hap_mount_path, | |
1593 | + kdevname(current->fs->root->d_inode->i_dev), | |
1594 | + current->fs->root->d_inode->i_ino, | |
1595 | + current->fs->root->d_inode->i_uid, | |
1596 | + current->fs->root->d_inode->i_gid, current->comm, current->pid, | |
1597 | + current->uid, current->euid, current->p_pptr->comm, | |
1598 | + current->p_pptr->pid, current->p_pptr->uid, | |
1599 | + current->p_pptr->euid); | |
1600 | + putname(hap_mount_dev); | |
1601 | + putname(hap_mount_path); | |
1602 | + retval = -EPERM; | |
1603 | + goto out; | |
1604 | + } | |
1605 | +#endif | |
1606 | if ((new_flags & | |
1607 | (MS_MGC_MSK | MS_REMOUNT)) == (MS_MGC_VAL | MS_REMOUNT)) { | |
1608 | retval = copy_mount_options (data, &page); | |
1609 | diff -urP linux-2.2.20-ow1/include/linux/kernel.h linux-2.2.20-hap-2/include/linux/kernel.h | |
1610 | --- linux-2.2.20-ow1/include/linux/kernel.h Sat Nov 3 13:14:57 2001 | |
1611 | +++ linux-2.2.20-hap-2/include/linux/kernel.h Sat Nov 10 02:20:12 2001 | |
1612 | @@ -89,18 +89,33 @@ | |
1613 | \ | |
1614 | spin_lock(&security_alert_lock); \ | |
1615 | \ | |
1616 | -/* Make sure at least one minute passed since the last warning logged */ \ | |
1617 | - if (!warning_time || jiffies - warning_time > 60 * HZ) { \ | |
1618 | +/* Make sure at least one second passed since the last warning logged */ \ | |
1619 | + if (!warning_time || jiffies - warning_time > HZ) { \ | |
1620 | warning_time = jiffies; no_flood_yet = 1; \ | |
1621 | - printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \ | |
1622 | + printk(KERN_WARNING "Security: " normal_msg "\n", ## args); \ | |
1623 | } else if (no_flood_yet) { \ | |
1624 | warning_time = jiffies; no_flood_yet = 0; \ | |
1625 | - printk(KERN_ALERT "Security: more " flood_msg \ | |
1626 | - ", logging disabled for a minute\n"); \ | |
1627 | + printk(KERN_WARNING "Security: more " flood_msg \ | |
1628 | + ", logging disabled for one second\n"); \ | |
1629 | } \ | |
1630 | \ | |
1631 | spin_unlock(&security_alert_lock); \ | |
1632 | }) | |
1633 | + | |
1634 | +#ifdef CONFIG_SECURE_CHROOT | |
1635 | +#define hap_same_root(haptask1, haptask2) \ | |
1636 | + /* if root devices and inodes match, processes share a \ | |
1637 | + * common root (neither, or both together, are chrooted) */ \ | |
1638 | + ((haptask1->fs->root->d_inode->i_dev == \ | |
1639 | + haptask2->fs->root->d_inode->i_dev) && \ | |
1640 | + (haptask1->fs->root->d_inode->i_ino == \ | |
1641 | + haptask2->fs->root->d_inode->i_ino) ) | |
1642 | + | |
1643 | +#define hap_same_root_as_init(haptask) \ | |
1644 | + /* compare the given process to init */ \ | |
1645 | + hap_same_root(haptask, \ | |
1646 | + (task[smp_num_cpus] ? : task[0])) /* voodoo */ | |
1647 | +#endif /* CONFIG_SECURE_CHROOT */ | |
1648 | ||
1649 | #endif /* __KERNEL__ */ | |
1650 | ||
1651 | diff -urP linux-2.2.20-ow1/include/linux/sysctl.h linux-2.2.20-hap-2/include/linux/sysctl.h | |
1652 | --- linux-2.2.20-ow1/include/linux/sysctl.h Sun Mar 25 11:37:40 2001 | |
1653 | +++ linux-2.2.20-hap-2/include/linux/sysctl.h Fri Nov 9 19:16:17 2001 | |
1654 | @@ -107,7 +107,8 @@ | |
1655 | KERN_SHMALL=41, /* int: maximum size of shared memory */ | |
1656 | KERN_SPARC_STOP_A=44, /* int: Sparc Stop-A enable */ | |
1657 | KERN_HOTPLUG=49, /* string: path to hotplug policy agent */ | |
1658 | - KERN_IEEE_EMULATION_WARNINGS=50 /* int: unimplemented ieee instructions */ | |
1659 | + KERN_IEEE_EMULATION_WARNINGS=50, /* int: unimplemented ieee instructions */ | |
1660 | + KERN_SECURITY=51 /* Security */ | |
1661 | }; | |
1662 | ||
1663 | ||
1664 | diff -urP linux-2.2.20-ow1/include/linux/tasks.h linux-2.2.20-hap-2/include/linux/tasks.h | |
1665 | --- linux-2.2.20-ow1/include/linux/tasks.h Sun Mar 25 11:31:03 2001 | |
1666 | +++ linux-2.2.20-hap-2/include/linux/tasks.h Sat Nov 10 02:20:12 2001 | |
1667 | @@ -11,7 +11,7 @@ | |
1668 | #define NR_CPUS 1 | |
1669 | #endif | |
1670 | ||
1671 | -#define NR_TASKS 512 /* On x86 Max about 4000 */ | |
1672 | +#define NR_TASKS 2048 /* On x86 Max about 4000 */ | |
1673 | ||
1674 | #define MAX_TASKS_PER_USER (NR_TASKS/2) | |
1675 | #define MIN_TASKS_LEFT_FOR_ROOT 4 | |
1676 | diff -urP linux-2.2.20-ow1/include/net/dst.h linux-2.2.20-hap-2/include/net/dst.h | |
1677 | --- linux-2.2.20-ow1/include/net/dst.h Sun Mar 25 11:31:07 2001 | |
1678 | +++ linux-2.2.20-hap-2/include/net/dst.h Sat Nov 10 02:21:36 2001 | |
1679 | @@ -16,7 +16,11 @@ | |
1680 | * 1 - rare events and bugs (default) | |
1681 | * 2 - trace mode. | |
1682 | */ | |
1683 | -#define RT_CACHE_DEBUG 0 | |
1684 | +#ifdef CONFIG_SECURE_LOGGING | |
1685 | +#define RT_CACHE_DEBUG 1 | |
1686 | +#else | |
1687 | +#define RT_CACHE_DEBUG 0 | |
1688 | +#endif | |
1689 | ||
1690 | #define DST_GC_MIN (1*HZ) | |
1691 | #define DST_GC_INC (5*HZ) | |
1692 | diff -urP linux-2.2.20-ow1/kernel/fork.c linux-2.2.20-hap-2/kernel/fork.c | |
1693 | --- linux-2.2.20-ow1/kernel/fork.c Sat Nov 3 13:14:57 2001 | |
1694 | +++ linux-2.2.20-hap-2/kernel/fork.c Fri Nov 9 19:16:17 2001 | |
1695 | @@ -746,6 +746,15 @@ | |
1696 | free_uid(p); | |
1697 | bad_fork_free: | |
1698 | free_task_struct(p); | |
1699 | +#ifdef CONFIG_SECURE_LOGGING | |
1700 | + security_alert("fork failure errno %d by %s[%d], UID %d, EUID %d, " | |
1701 | + "parent %s[%d], UID %d, EUID %d", | |
1702 | + "fork failures", | |
1703 | + retval, current->comm, current->pid, | |
1704 | + current->uid, current->euid, | |
1705 | + current->p_pptr->comm, current->p_pptr->pid, | |
1706 | + current->p_pptr->uid, current->p_pptr->euid); | |
1707 | +#endif | |
1708 | goto bad_fork; | |
1709 | } | |
1710 | ||
1711 | diff -urP linux-2.2.20-ow1/kernel/signal.c linux-2.2.20-hap-2/kernel/signal.c | |
1712 | --- linux-2.2.20-ow1/kernel/signal.c Fri Nov 2 11:39:16 2001 | |
1713 | +++ linux-2.2.20-hap-2/kernel/signal.c Fri Nov 9 19:16:17 2001 | |
1714 | @@ -254,6 +254,9 @@ | |
1715 | { | |
1716 | unsigned long flags; | |
1717 | int ret; | |
1718 | +#ifdef CONFIG_SECURE_CHROOT | |
1719 | + struct task_struct * hap_init_task; | |
1720 | +#endif | |
1721 | ||
1722 | #if DEBUG_SIG | |
1723 | printk("SIG queue (%s:%d): %d ", t->comm, t->pid, sig); | |
1724 | @@ -270,13 +273,67 @@ | |
1725 | && (current->uid ^ t->suid) && (current->uid ^ t->uid) | |
1726 | && !capable(CAP_KILL)) | |
1727 | goto out_nolock; | |
1728 | - | |
1729 | - /* The null signal is a permissions and process existance probe. | |
1730 | - No signal is actually delivered. Same goes for zombies. | |
1731 | - We have to grab the spinlock now so that we do not race | |
1732 | + /* We have to grab the spinlock now so that we do not race | |
1733 | with flush_signals. */ | |
1734 | - ret = 0; | |
1735 | spin_lock_irqsave(&t->sigmask_lock, flags); | |
1736 | + | |
1737 | +#ifdef CONFIG_SECURE_CHROOT | |
1738 | + /* | |
1739 | + * chrooted processes can only send signals to other processes in | |
1740 | + * the same jail, with the exception that they can send SIGALRM and | |
1741 | + * SIGIO to any process, and SIGCHLD to their parent, regardless. | |
1742 | + */ | |
1743 | + /* | |
1744 | + * this is still needed with the hap_same_root macros because we | |
1745 | + * have to check init's task struct to be careful not to deref a | |
1746 | + * null pointer later | |
1747 | + */ | |
1748 | + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ | |
1749 | + if ( /* noop for 'signal zero' */ | |
1750 | + sig && | |
1751 | + | |
1752 | + /* be careful not to deref a null pointer later */ | |
1753 | + t->pid && t->fs && t->fs->root && t->fs->root->d_inode && t->p_pptr && | |
1754 | + current->pid && current->fs && current->fs->root && | |
1755 | + current->fs->root->d_inode && current->p_pptr && | |
1756 | + hap_init_task && hap_init_task->pid && hap_init_task->fs && | |
1757 | + hap_init_task->fs->root && hap_init_task->fs->root->d_inode && | |
1758 | + | |
1759 | + /* real work starting: check if signal is "mostly harmless" */ | |
1760 | + !( sig == SIGALRM || sig == SIGIO || | |
1761 | + | |
1762 | + /* check if current is not chrooted */ | |
1763 | + (hap_same_root_as_init(current)) || | |
1764 | + | |
1765 | + /* else check if current && target are under same chroot */ | |
1766 | + (hap_same_root(t, current)) || | |
1767 | + | |
1768 | + /* else check if child is sending parent SIGCHILD */ | |
1769 | + (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) { | |
1770 | + | |
1771 | + /* Note: if target is init, its parent is task 0 */ | |
1772 | + security_alert("refused signal %d out of chrooted jail [%s]:%lu " | |
1773 | + "owned by %d.%d by %s[%d], UID %d, EUID %d, parent " | |
1774 | + "%s[%d], UID %d, EUID %d to %s[%d], UID %d, EUID %d with " | |
1775 | + "root [%s]:%lu owned by %d.%d, parent %s[%d], UID %d, EUID %d", | |
1776 | + "refused signals", | |
1777 | + sig, kdevname(current->fs->root->d_inode->i_dev), | |
1778 | + current->fs->root->d_inode->i_ino, current->fs->root->d_inode->i_uid, | |
1779 | + current->fs->root->d_inode->i_gid, current->comm, | |
1780 | + current->pid, current->uid, current->euid, current->p_pptr->comm, | |
1781 | + current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid, | |
1782 | + t->comm, t->pid, t->uid, t->euid, kdevname(t->fs->root->d_inode->i_dev), | |
1783 | + t->fs->root->d_inode->i_ino, t->fs->root->d_inode->i_uid, | |
1784 | + t->fs->root->d_inode->i_gid, t->p_pptr->comm, t->p_pptr->pid, | |
1785 | + t->p_pptr->uid, t->p_pptr->euid); | |
1786 | + spin_unlock_irqrestore(&t->sigmask_lock, flags); | |
1787 | + goto out_nolock; | |
1788 | + } | |
1789 | + | |
1790 | +#endif | |
1791 | + ret = 0; | |
1792 | + /* The null signal is a permissions and process existance probe. | |
1793 | + No signal is actually delivered. Same goes for zombies. */ | |
1794 | if (!sig || !t->sig) { | |
1795 | spin_unlock_irqrestore(&t->sigmask_lock, flags); | |
1796 | goto out_nolock; | |
1797 | @@ -301,6 +358,34 @@ | |
1798 | /* Inflict this corner case with recalculations, not mainline */ | |
1799 | recalc_sigpending(t); | |
1800 | break; | |
1801 | +#if CONFIG_SECURE_LOGGING | |
1802 | + case SIGSEGV: case SIGILL: case SIGABRT: case SIGBUS: | |
1803 | +#ifdef __i386__ | |
1804 | + security_alert("signal %d (%s addr 0x%08lx) sent to " | |
1805 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " | |
1806 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1807 | + "signal warnings", | |
1808 | + sig, (t->tss.error_code & 2) ? "write" : "read or execute", | |
1809 | + t->tss.cr2, | |
1810 | + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, | |
1811 | + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, | |
1812 | + current->comm, current->pid, current->uid, current->euid, | |
1813 | + current->p_pptr->comm, current->p_pptr->pid, | |
1814 | + current->p_pptr->uid, current->p_pptr->euid); | |
1815 | +#else | |
1816 | + security_alert("signal %d sent to " | |
1817 | + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " | |
1818 | + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", | |
1819 | + "signal warnings", | |
1820 | + sig, | |
1821 | + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, | |
1822 | + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, | |
1823 | + current->comm, current->pid, current->uid, current->euid, | |
1824 | + current->p_pptr->comm, current->p_pptr->pid, | |
1825 | + current->p_pptr->uid, current->p_pptr->euid); | |
1826 | +#endif | |
1827 | + break; | |
1828 | +#endif | |
1829 | } | |
1830 | ||
1831 | /* Optimize away the signal, if it's a signal that can be | |
1832 | diff -urP linux-2.2.20-ow1/kernel/sysctl.c linux-2.2.20-hap-2/kernel/sysctl.c | |
1833 | --- linux-2.2.20-ow1/kernel/sysctl.c Sat Nov 3 13:14:57 2001 | |
1834 | +++ linux-2.2.20-hap-2/kernel/sysctl.c Fri Nov 9 19:16:17 2001 | |
1835 | @@ -96,12 +96,20 @@ | |
1836 | static ctl_table fs_table[]; | |
1837 | static ctl_table debug_table[]; | |
1838 | static ctl_table dev_table[]; | |
1839 | - | |
1840 | +static ctl_table security_table[]; | |
1841 | ||
1842 | /* /proc declarations: */ | |
1843 | ||
1844 | #ifdef CONFIG_PROC_FS | |
1845 | ||
1846 | +/* Keep these here reguardless if CONFIG_SECURE_SYSCTL is defined or not */ | |
1847 | +int sysctl_security = 1; | |
1848 | +int sysctl_security_trace = 1; | |
1849 | + | |
1850 | +#ifdef CONFIG_SECURE_TRACE | |
1851 | +int sysctl_security_trace_gid = 0; | |
1852 | +#endif | |
1853 | + | |
1854 | static ssize_t proc_readsys(struct file *, char *, size_t, loff_t *); | |
1855 | static ssize_t proc_writesys(struct file *, const char *, size_t, loff_t *); | |
1856 | static int proc_sys_permission(struct inode *, int); | |
1857 | @@ -251,6 +259,18 @@ | |
1858 | &sysctl_ieee_emulation_warnings,sizeof(int),0644,NULL,&proc_dointvec}, | |
1859 | #endif | |
1860 | #endif | |
1861 | + {KERN_SECURITY, "security", NULL, 0, 0550, security_table}, | |
1862 | + {0} | |
1863 | +}; | |
1864 | + | |
1865 | +enum {SEC_TRACE=1, SEC_TRACE_GID , SEC_SYSCTL}; | |
1866 | +static ctl_table security_table[] = { | |
1867 | + {SEC_TRACE, "trace", &sysctl_security_trace, sizeof (int), | |
1868 | + 0640, NULL, &proc_dointvec}, | |
1869 | +#ifdef CONFIG_SECURE_TRACE_USERGROUP | |
1870 | + {SEC_TRACE_GID, "trace_gid", &sysctl_security_trace_gid, sizeof (int), | |
1871 | + 0640, NULL, &proc_dointvec}, | |
1872 | +#endif | |
1873 | {0} | |
1874 | }; | |
1875 | ||
1876 | diff -urP linux-2.2.20-ow1/kernel/time.c linux-2.2.20-hap-2/kernel/time.c | |
1877 | --- linux-2.2.20-ow1/kernel/time.c Sun Mar 25 11:31:02 2001 | |
1878 | +++ linux-2.2.20-hap-2/kernel/time.c Fri Nov 9 19:16:17 2001 | |
1879 | @@ -108,6 +108,14 @@ | |
1880 | time_maxerror = NTP_PHASE_LIMIT; | |
1881 | time_esterror = NTP_PHASE_LIMIT; | |
1882 | write_unlock_irq(&xtime_lock); | |
1883 | +#ifdef CONFIG_SECURE_LOGGING | |
1884 | + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " | |
1885 | + "UID %d, EUID %d", | |
1886 | + "time sets", | |
1887 | + current->comm, current->pid, current->uid, current->euid, | |
1888 | + current->p_pptr->comm, current->p_pptr->pid, | |
1889 | + current->p_pptr->uid, current->p_pptr->euid); | |
1890 | +#endif | |
1891 | return 0; | |
1892 | } | |
1893 | ||
1894 | @@ -184,6 +192,14 @@ | |
1895 | * globally block out interrupts when it runs. | |
1896 | */ | |
1897 | do_settimeofday(tv); | |
1898 | +#ifdef CONFIG_SECURE_LOGGING | |
1899 | + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " | |
1900 | + "UID %d, EUID %d", | |
1901 | + "time sets", | |
1902 | + current->comm, current->pid, current->uid, current->euid, | |
1903 | + current->p_pptr->comm, current->p_pptr->pid, | |
1904 | + current->p_pptr->uid, current->p_pptr->euid); | |
1905 | +#endif | |
1906 | } | |
1907 | return 0; | |
1908 | } | |
1909 | diff -urP linux-2.2.20-ow1/net/core/utils.c linux-2.2.20-hap-2/net/core/utils.c | |
1910 | --- linux-2.2.20-ow1/net/core/utils.c Sun Mar 25 11:31:12 2001 | |
1911 | +++ linux-2.2.20-hap-2/net/core/utils.c Fri Nov 9 19:16:17 2001 | |
1912 | @@ -35,12 +35,21 @@ | |
1913 | net_random(); | |
1914 | } | |
1915 | ||
1916 | +#ifdef CONFIG_SECURE_LOGGING | |
1917 | +int net_msg_cost = HZ; | |
1918 | +#else | |
1919 | int net_msg_cost = 5*HZ; | |
1920 | +#endif | |
1921 | int net_msg_burst = 10*5*HZ; | |
1922 | ||
1923 | /* | |
1924 | +#ifdef CONFIG_SECURE_LOGGING | |
1925 | + * This enforces a rate limit: not more than one kernel message | |
1926 | + * every 1secs to make a denial-of-service attack harder. | |
1927 | +#else | |
1928 | * This enforces a rate limit: not more than one kernel message | |
1929 | * every 5secs to make a denial-of-service attack impossible. | |
1930 | +#endif | |
1931 | * | |
1932 | * All warning printk()s should be guarded by this function. | |
1933 | */ | |
1934 | diff -urP linux-2.2.20-ow1/net/ipv4/ip_fw.c linux-2.2.20-hap-2/net/ipv4/ip_fw.c | |
1935 | --- linux-2.2.20-ow1/net/ipv4/ip_fw.c Sun Mar 25 11:31:12 2001 | |
1936 | +++ linux-2.2.20-hap-2/net/ipv4/ip_fw.c Fri Nov 9 19:16:17 2001 | |
1937 | @@ -416,34 +416,83 @@ | |
1938 | __u32 *opt = (__u32 *) (ip + 1); | |
1939 | int opti; | |
1940 | ||
1941 | - if (f) | |
1942 | - { | |
1943 | + if (f) { | |
1944 | +#ifdef CONFIG_SECURE_NETWORK | |
1945 | + /* log any accepted packet at kern.debug instead of kern.info */ | |
1946 | + if (f->simplebranch==FW_ACCEPT || | |
1947 | + f->simplebranch==FW_REDIRECT || | |
1948 | + f->simplebranch==FW_MASQUERADE) | |
1949 | + printk(KERN_DEBUG "Packet log: %s ",chainlabel); | |
1950 | + else | |
1951 | +#endif | |
1952 | printk(KERN_INFO "Packet log: %s ",chainlabel); | |
1953 | - | |
1954 | printk("%s ",branchname(f->branch,f->simplebranch)); | |
1955 | if (f->simplebranch==FW_REDIRECT) | |
1956 | printk("%d ",f->ipfw.fw_redirpt); | |
1957 | } | |
1958 | ||
1959 | +#ifdef CONFIG_SECURE_NETWORK | |
1960 | + if (ip->protocol == IPPROTO_TCP | |
1961 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1962 | + struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl); | |
1963 | + printk("%s PROTO=TCP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " | |
1964 | + "L=%hu:%hu:%hu S=0x%2.2hX I=%hu:%u:%u F=0x%4.4hX " | |
1965 | + "T=%hu %c%c%c%c%c%c", | |
1966 | + ifname, | |
1967 | + NIPQUAD(ip->saddr), src_port, | |
1968 | + NIPQUAD(ip->daddr), dst_port, | |
1969 | + ntohs(ip->tot_len), ntohs(ip->tot_len) - ip->ihl*4, | |
1970 | + ntohs(ip->tot_len) - ip->ihl*4 - tcp->doff*4, | |
1971 | + ip->tos, ntohs(ip->id), ntohl(tcp->seq), | |
1972 | + ntohl(tcp->ack_seq), ip->frag_off, ip->ttl, | |
1973 | + tcp->ack ? 'A' : '.', | |
1974 | + tcp->syn ? 'S' : '.', | |
1975 | + tcp->fin ? 'F' : '.', | |
1976 | + tcp->rst ? 'R' : '.', | |
1977 | + tcp->psh ? 'P' : '.', | |
1978 | + tcp->urg ? 'U' : '.' ); | |
1979 | + } else if (ip->protocol == IPPROTO_UDP | |
1980 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1981 | + struct udphdr *udp = (struct udphdr *)((__u32 *)ip + ip->ihl); | |
1982 | + printk("%s PROTO=UDP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " | |
1983 | + "L=%hu:%u S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", | |
1984 | + ifname, | |
1985 | + NIPQUAD(ip->saddr), src_port, | |
1986 | + NIPQUAD(ip->daddr), dst_port, | |
1987 | + ntohs(ip->tot_len), ntohs(udp->len), | |
1988 | + ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl); | |
1989 | + } else if (ip->protocol == IPPROTO_ICMP | |
1990 | + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { | |
1991 | + struct icmphdr *icmp = (struct icmphdr *)((__u32 *)ip + ip->ihl); | |
1992 | + printk("%s PROTO=ICMP/%d:%d %d.%d.%d.%d %d.%d.%d.%d L=%hu " | |
1993 | + "S=0x%2.2hX I=%hu:%hu:%hu F=0x%4.4hX T=%hu", | |
1994 | + ifname, icmp->type, icmp->code, | |
1995 | + NIPQUAD(ip->saddr), | |
1996 | + NIPQUAD(ip->daddr), | |
1997 | + ntohs(ip->tot_len), ip->tos, | |
1998 | + ntohs(ip->id), ntohs(icmp->un.echo.id), | |
1999 | + ntohs(icmp->un.echo.sequence), | |
2000 | + ip->frag_off, ip->ttl); | |
2001 | + } else { | |
2002 | +#endif | |
2003 | printk("%s PROTO=%d %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu" | |
2004 | " L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", | |
2005 | ifname, ip->protocol, | |
2006 | - (ntohl(ip->saddr)>>24)&0xFF, | |
2007 | - (ntohl(ip->saddr)>>16)&0xFF, | |
2008 | - (ntohl(ip->saddr)>>8)&0xFF, | |
2009 | - (ntohl(ip->saddr))&0xFF, | |
2010 | - src_port, | |
2011 | - (ntohl(ip->daddr)>>24)&0xFF, | |
2012 | - (ntohl(ip->daddr)>>16)&0xFF, | |
2013 | - (ntohl(ip->daddr)>>8)&0xFF, | |
2014 | - (ntohl(ip->daddr))&0xFF, | |
2015 | - dst_port, | |
2016 | + NIPQUAD(ip->saddr), src_port, | |
2017 | + NIPQUAD(ip->daddr), dst_port, | |
2018 | ntohs(ip->tot_len), ip->tos, ntohs(ip->id), | |
2019 | ntohs(ip->frag_off), ip->ttl); | |
2020 | +#ifdef CONFIG_SECURE_NETWORK | |
2021 | + } | |
2022 | +#endif | |
2023 | ||
2024 | for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++) | |
2025 | printk(" O=0x%8.8X", *opt++); | |
2026 | +#ifdef CONFIG_SECURE_NETWORK | |
2027 | + printk(" (#%d)\n", count); | |
2028 | +#else | |
2029 | printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count); | |
2030 | +#endif | |
2031 | } | |
2032 | ||
2033 | /* function for checking chain labels for user space. */ | |
2034 | diff -urP linux-2.2.20-ow1/net/ipv4/route.c linux-2.2.20-hap-2/net/ipv4/route.c | |
2035 | --- linux-2.2.20-ow1/net/ipv4/route.c Fri Nov 2 11:39:16 2001 | |
2036 | +++ linux-2.2.20-hap-2/net/ipv4/route.c Fri Nov 9 19:16:17 2001 | |
2037 | @@ -715,12 +715,20 @@ | |
2038 | return; | |
2039 | ||
2040 | reject_redirect: | |
2041 | +#ifdef CONFIG_SECURE_LOGGING | |
2042 | + security_alert("redirect from %d.%d.%d.%d/%s to %d.%d.%d.%d ignored; " | |
2043 | + "path = %d.%d.%d.%d -> %d.%d.%d.%d, tos %02x\n", | |
2044 | + "redirects ignored", | |
2045 | + NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw), | |
2046 | + NIPQUAD(saddr), NIPQUAD(daddr), tos); | |
2047 | +#else | |
2048 | #ifdef CONFIG_IP_ROUTE_VERBOSE | |
2049 | if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) | |
2050 | printk(KERN_INFO "Redirect from %X/%s to %X ignored." | |
2051 | "Path = %X -> %X, tos %02x\n", | |
2052 | ntohl(old_gw), dev->name, ntohl(new_gw), | |
2053 | ntohl(saddr), ntohl(daddr), tos); | |
2054 | +#endif | |
2055 | #endif | |
2056 | } | |
2057 | ||
2058 | diff -urP linux-2.2.20-ow1/net/ipv4/tcp_ipv4.c linux-2.2.20-hap-2/net/ipv4/tcp_ipv4.c | |
2059 | --- linux-2.2.20-ow1/net/ipv4/tcp_ipv4.c Sun Mar 25 11:37:41 2001 | |
2060 | +++ linux-2.2.20-hap-2/net/ipv4/tcp_ipv4.c Fri Nov 9 19:16:17 2001 | |
2061 | @@ -1747,6 +1747,14 @@ | |
2062 | len < (th->doff * 4)) | |
2063 | goto bad_packet; | |
2064 | ||
2065 | +#ifdef CONFIG_SECURE_NETWORK | |
2066 | + /* Throw out packets with clearly bogus flags. */ | |
2067 | + if ( ! (th->ack || th->syn || th->rst) || | |
2068 | + (th->fin && (th->syn || th->rst) ) || | |
2069 | + (th->rst && (th->syn || th->urg) ) || | |
2070 | + (th->syn && th->urg) ) | |
2071 | + goto tcp_bad_flags; | |
2072 | +#endif | |
2073 | #ifdef CONFIG_IP_TRANSPARENT_PROXY | |
2074 | if (IPCB(skb)->redirport) | |
2075 | sk = tcp_v4_proxy_lookup(th->dest, skb->nh.iph->saddr, th->source, | |
2076 | @@ -1762,7 +1770,11 @@ | |
2077 | } | |
2078 | #endif | |
2079 | if (!sk) | |
2080 | +#ifdef CONFIG_SECURE_NETWORK | |
2081 | + goto tcp_unserved; | |
2082 | +#else | |
2083 | goto no_tcp_socket; | |
2084 | +#endif | |
2085 | if(!ipsec_sk_policy(sk,skb)) | |
2086 | goto discard_it; | |
2087 | ||
2088 | @@ -1780,6 +1792,52 @@ | |
2089 | ||
2090 | __skb_queue_tail(&sk->back_log, skb); | |
2091 | return 0; | |
2092 | +#ifdef CONFIG_SECURE_NETWORK | |
2093 | + | |
2094 | +tcp_bad_flags: | |
2095 | + if(net_ratelimit()) | |
2096 | + printk(KERN_INFO | |
2097 | + "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d " | |
2098 | + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u " | |
2099 | + "T=%hu %c%c%c%c%c%c\n", | |
2100 | + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), | |
2101 | + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), | |
2102 | + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, | |
2103 | + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), | |
2104 | + ntohl(th->ack_seq), skb->nh.iph->ttl, | |
2105 | + th->ack ? 'A' : '.', | |
2106 | + th->syn ? 'S' : '.', | |
2107 | + th->fin ? 'F' : '.', | |
2108 | + th->rst ? 'R' : '.', | |
2109 | + th->psh ? 'P' : '.', | |
2110 | + th->urg ? 'U' : '.' ); | |
2111 | + /* | |
2112 | + * This will cause tcp_send_reset to *not* send. | |
2113 | + */ | |
2114 | + th->rst=1; | |
2115 | + goto no_tcp_socket; | |
2116 | + | |
2117 | +tcp_unserved: | |
2118 | + if(net_ratelimit()) | |
2119 | + printk(KERN_INFO | |
2120 | + "Packet log: unserved DENY %s PROTO=TCP %d.%d.%d.%d:%d " | |
2121 | + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX " | |
2122 | + "I=%hu:%u:%u T=%hu %c%c%c%c%c%c\n", | |
2123 | + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), | |
2124 | + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), | |
2125 | + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, | |
2126 | + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), | |
2127 | + ntohl(th->ack_seq), skb->nh.iph->ttl, | |
2128 | + th->ack ? 'A' : '.', | |
2129 | + th->syn ? 'S' : '.', | |
2130 | + th->fin ? 'F' : '.', | |
2131 | + th->rst ? 'R' : '.', | |
2132 | + th->psh ? 'P' : '.', | |
2133 | + th->urg ? 'U' : '.' ); | |
2134 | +#ifdef CONFIG_SECURE_NET_SBD | |
2135 | + th->rst=1; | |
2136 | +#endif | |
2137 | +#endif /* CONFIG_SECURE_NETWORK */ | |
2138 | ||
2139 | no_tcp_socket: | |
2140 | tcp_v4_send_reset(skb); | |
2141 | diff -urP linux-2.2.20-ow1/net/ipv4/udp.c linux-2.2.20-hap-2/net/ipv4/udp.c | |
2142 | --- linux-2.2.20-ow1/net/ipv4/udp.c Sun Mar 25 11:37:41 2001 | |
2143 | +++ linux-2.2.20-hap-2/net/ipv4/udp.c Fri Nov 9 19:16:17 2001 | |
2144 | @@ -1137,6 +1137,14 @@ | |
2145 | goto csum_error; | |
2146 | #endif | |
2147 | udp_statistics.UdpNoPorts++; | |
2148 | +#ifdef CONFIG_SECURE_NETWORK | |
2149 | + /* | |
2150 | + * This will cause a message for _every_ UDP packet we didn't | |
2151 | + * ask for, _including_ broadcasts. If you don't care about | |
2152 | + * broadcasts, move the following line inside the if { .. } below. | |
2153 | + */ | |
2154 | + goto udp_unserved_port; | |
2155 | +#else | |
2156 | icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
2157 | ||
2158 | /* | |
2159 | @@ -1145,9 +1153,29 @@ | |
2160 | */ | |
2161 | kfree_skb(skb); | |
2162 | return(0); | |
2163 | +#endif | |
2164 | } | |
2165 | udp_deliver(sk, skb); | |
2166 | return 0; | |
2167 | + | |
2168 | +#ifdef CONFIG_SECURE_NETWORK | |
2169 | + | |
2170 | +udp_unserved_port: | |
2171 | + if(net_ratelimit()) | |
2172 | + printk( KERN_INFO | |
2173 | + "Packet log: unserved DENY %s PROTO=UDP %d.%d.%d.%d:%d %d.%d.%d.%d:%d " | |
2174 | + "L=%hu:%u S=0x%2.2hX I=%hu T=%hu\n", | |
2175 | + skb->dev->name, NIPQUAD(saddr), ntohs(uh->source), | |
2176 | + NIPQUAD(daddr), ntohs(uh->dest), ntohs(skb->nh.iph->tot_len), | |
2177 | + ntohs(uh->len), skb->nh.iph->tos, ntohs(skb->nh.iph->id), | |
2178 | + skb->nh.iph->ttl); | |
2179 | +#ifndef CONFIG_SECURE_NET_SBD | |
2180 | + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); | |
2181 | +#endif | |
2182 | + skb->sk = NULL; | |
2183 | + kfree_skb(skb); | |
2184 | + return(0); | |
2185 | +#endif /* CONFIG_SECURE_NETWORK */ | |
2186 | ||
2187 | csum_error: | |
2188 | /* | |
2189 | diff -urP linux-2.2.20-ow1/security/Common.in linux-2.2.20-hap-2/security/Common.in | |
2190 | --- linux-2.2.20-ow1/security/Common.in Sat Nov 3 13:14:57 2001 | |
2191 | +++ linux-2.2.20-hap-2/security/Common.in Fri Nov 9 19:16:17 2001 | |
2192 | @@ -4,9 +4,26 @@ | |
2193 | ||
2194 | bool 'Restricted links in /tmp' CONFIG_SECURE_LINK | |
2195 | bool 'Restricted FIFOs in /tmp' CONFIG_SECURE_FIFO | |
2196 | +if [ "$CONFIG_SECURE_LINK" = "y" -o "CONFIG_SECURE_FIFO" = "y" ]; then | |
2197 | + bool 'Allow links/fifos in non-world-writable +t dirs' CONFIG_SECURE_NOTSOMUCH | |
2198 | +fi | |
2199 | bool 'Restricted /proc' CONFIG_SECURE_PROC | |
2200 | bool 'Special handling of fd 0, 1, and 2' CONFIG_SECURE_FD_0_1_2 | |
2201 | bool 'Enforce RLIMIT_NPROC on execve(2)' CONFIG_SECURE_RLIMIT_NPROC | |
2202 | if [ "$CONFIG_SYSVIPC" = "y" ]; then | |
2203 | bool 'Destroy shared memory segments not in use' CONFIG_SECURE_SHM | |
2204 | +fi | |
2205 | +bool 'Unofficial bugfixes' CONFIG_SECURE_BUGFIX | |
2206 | +bool 'Extra logging of unusual events' CONFIG_SECURE_LOGGING | |
2207 | +bool 'Paranoid networking' CONFIG_SECURE_NETWORK | |
2208 | +if [ "$CONFIG_SECURE_NETWORK" = "y" ]; then | |
2209 | + bool 'Blackhole networking' CONFIG_SECURE_NET_SBD | |
2210 | +fi | |
2211 | +bool 'Restricted chroot' CONFIG_SECURE_CHROOT | |
2212 | +bool 'Restricted ptrace' CONFIG_SECURE_TRACE | |
2213 | +if [ "$CONFIG_SECURE_TRACE" == "y" ]; then | |
2214 | + bool ' Allow special group' CONFIG_SECURE_TRACE_USERGROUP | |
2215 | +fi | |
2216 | +if [ "$CONFIG_SYSCTL" == "y" ]; then | |
2217 | + bool 'Security Sysctl Support' CONFIG_SECURE_SYSCTL | |
2218 | fi |