1 diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile
2 --- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200
3 +++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200
4 @@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5 # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
6 INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
8 -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
9 +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
10 CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
11 DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
12 NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
13 diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
14 --- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200
15 +++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200
16 @@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
17 kbd->kbdmode == VC_MEDIUMRAW) &&
19 return; /* SAK is allowed even in raw mode */
21 +#if defined(CONFIG_GRKERNSEC_PROC)
23 + void *func = fn_handler[value];
24 + if (func == fn_show_state || func == fn_show_ptregs ||
25 + func == fn_show_mem)
30 fn_handler[value](vc);
33 diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
34 --- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200
35 +++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
36 @@ -472,7 +472,16 @@ static const struct file_operations proc
37 static int __init pci_proc_init(void)
39 struct pci_dev *dev = NULL;
41 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
42 +#ifdef CONFIG_GRKERNSEC_PROC_USER
43 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
44 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
48 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
50 proc_create("devices", 0, proc_bus_pci_dir,
51 &proc_bus_pci_dev_operations);
53 diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
54 --- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200
55 +++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200
56 @@ -926,12 +926,12 @@ config PROC_FS
59 bool "/proc/kcore support" if !ARM
60 - depends on PROC_FS && MMU
61 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
64 bool "/proc/vmcore support (EXPERIMENTAL)"
65 - depends on PROC_FS && CRASH_DUMP
67 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
70 Exports the dump image of crashed kernel in ELF format.
72 diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c
73 --- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200
74 +++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200
76 #include <linux/vs_cowbl.h>
77 #include <linux/vs_device.h>
78 #include <linux/vs_context.h>
79 +#include <linux/grsecurity.h>
80 #include <linux/pid_namespace.h>
81 #include <asm/uaccess.h>
83 @@ -740,6 +741,13 @@ static inline int do_follow_link(struct
84 err = security_inode_follow_link(path->dentry, nd);
88 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
89 + path->dentry->d_inode, path->dentry)) {
94 current->link_count++;
95 current->total_link_count++;
97 @@ -1925,6 +1933,12 @@ do_last:
102 + if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
104 + goto exit_mutex_unlock;
107 mutex_unlock(&dir->d_inode->i_mutex);
108 audit_inode(pathname, path.dentry);
110 @@ -2028,6 +2042,13 @@ do_link:
111 error = security_inode_follow_link(path.dentry, &nd);
115 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
121 error = __do_follow_link(&path, &nd);
123 /* Does someone understand code flow here? Or it is only
124 @@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c
125 error = PTR_ERR(new_dentry);
126 if (IS_ERR(new_dentry))
129 + if (gr_handle_hardlink(old_path.dentry, old_path.dentry->d_inode,
130 + old_path.dentry->d_inode->i_mode, to)) {
135 error = mnt_want_write(nd.path.mnt);
138 diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
139 --- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
140 +++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
141 @@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
146 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
147 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
149 + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
152 diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c
153 --- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200
154 +++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200
156 #include <linux/pid_namespace.h>
157 #include <linux/vs_context.h>
158 #include <linux/vs_network.h>
159 +#include <linux/grsecurity.h>
161 #include "internal.h"
164 @@ -307,9 +312,9 @@ static int proc_pid_auxv(struct task_str
165 struct mm_struct *mm = get_task_mm(task);
167 unsigned int nwords = 0;
171 - while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
172 + } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
173 res = nwords * sizeof(mm->saved_auxv[0]);
176 @@ -1412,7 +1417,11 @@ static struct inode *proc_pid_make_inode
178 if (task_dumpable(task)) {
179 inode->i_uid = task->euid;
180 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
181 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
183 inode->i_gid = task->egid;
186 /* procfs is xid tagged */
187 inode->i_tag = (tag_t)vx_task_xid(task);
188 @@ -1430,17 +1439,39 @@ static int pid_getattr(struct vfsmount *
190 struct inode *inode = dentry->d_inode;
191 struct task_struct *task;
192 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
193 + struct task_struct *tmp = current;
196 generic_fillattr(inode, stat);
201 task = pid_task(proc_pid(inode), PIDTYPE_PID);
205 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
206 + && (!tmp->uid || (tmp->uid == task->uid)
207 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
208 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
213 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
214 +#ifdef CONFIG_GRKERNSEC_PROC_USER
215 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
216 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
217 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
219 task_dumpable(task)) {
220 stat->uid = task->euid;
221 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
222 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
224 stat->gid = task->egid;
229 @@ -1468,11 +1505,21 @@ static int pid_revalidate(struct dentry
231 struct inode *inode = dentry->d_inode;
232 struct task_struct *task = get_proc_task(inode);
235 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
236 +#ifdef CONFIG_GRKERNSEC_PROC_USER
237 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
238 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
239 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
241 task_dumpable(task)) {
242 inode->i_uid = task->euid;
243 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
244 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
246 inode->i_gid = task->egid;
251 @@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino
252 struct nameidata *nd)
255 + struct task_struct *task;
257 rv = generic_permission(inode, mask, NULL);
261 if (task_pid(current) == proc_pid(inode))
264 + task = get_proc_task(inode);
268 + put_task_struct(task);
273 @@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia
277 +#ifdef CONFIG_GRKERNSEC_PROC_USER
278 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
279 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
280 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
281 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
283 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
285 inode->i_op = &proc_tgid_base_inode_operations;
286 inode->i_fop = &proc_tgid_base_operations;
287 inode->i_flags|=S_IMMUTABLE;
288 @@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp,
290 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
291 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
292 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
293 + struct task_struct *tmp = current;
295 struct tgid_iter iter;
296 struct pid_namespace *ns;
298 @@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp,
299 for (iter = next_tgid(ns, iter);
301 iter.tgid += 1, iter = next_tgid(ns, iter)) {
302 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
303 + if (tmp->uid && (iter.task->uid != tmp->uid)
304 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
305 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
311 filp->f_pos = iter.tgid + TGID_OFFSET;
312 if (!vx_proc_task_visible(iter.task))
314 @@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s
315 #ifdef CONFIG_FAULT_INJECTION
316 REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
318 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
319 + INF("ipaddr", S_IRUSR, pid_ipaddr),
323 static int proc_tid_base_readdir(struct file * filp,
324 diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
325 --- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
326 +++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
327 @@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
329 inode->i_mode = de->mode;
330 inode->i_uid = de->uid;
331 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
332 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
334 inode->i_gid = de->gid;
338 PROC_I(inode)->vx_flags = de->vx_flags;
339 diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h
340 --- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200
341 +++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200
342 @@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil
343 struct pid *pid, struct task_struct *task);
344 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
345 struct pid *pid, struct task_struct *task);
346 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
347 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
350 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
352 --- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100
353 +++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100
356 static int __init proc_cmdline_init(void)
358 - proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
360 +#ifdef CONFIG_GRKERNSEC_PROC_USER
362 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
363 + gr_mode = S_IRUSR | S_IRGRP;
365 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
366 + proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops);
370 module_init(proc_cmdline_init);
371 --- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100
372 +++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100
375 static int __init proc_devices_init(void)
377 - proc_create("devices", 0, NULL, &proc_devinfo_operations);
379 +#ifdef CONFIG_GRKERNSEC_PROC_USER
381 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
382 + gr_mode = S_IRUSR | S_IRGRP;
384 + proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
387 module_init(proc_devices_init);
388 --- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100
389 +++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100
390 @@ -404,10 +404,12 @@
392 static int __init proc_kcore_init(void)
394 +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
395 proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
397 proc_root_kcore->size =
398 (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
402 module_init(proc_kcore_init);
403 diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
404 --- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
405 +++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
406 @@ -139,7 +139,15 @@ void __init proc_root_init(void)
407 #ifdef CONFIG_PROC_DEVICETREE
408 proc_device_tree_init();
410 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
411 +#ifdef CONFIG_GRKERNSEC_PROC_USER
412 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
413 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
414 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
417 proc_mkdir("bus", NULL);
422 diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c
423 --- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
424 +++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200
427 +grsecurity_init(void)
432 diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c
433 --- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
434 +++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200
436 +#include <linux/kernel.h>
437 +#include <linux/sched.h>
438 +#include <linux/fs.h>
439 +#include <linux/file.h>
440 +#include <linux/grinternal.h>
443 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
444 + const struct dentry *dir, const int flag, const int acc_mode)
446 +#ifdef CONFIG_GRKERNSEC_FIFO
447 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
448 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
449 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
450 + (current->fsuid != dentry->d_inode->i_uid)) {
456 diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c
457 --- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
458 +++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200
460 +#include <linux/kernel.h>
461 +#include <linux/sched.h>
462 +#include <linux/mm.h>
463 +#include <linux/smp_lock.h>
464 +#include <linux/slab.h>
465 +#include <linux/vmalloc.h>
466 +#include <linux/percpu.h>
468 +int grsec_enable_link;
469 +int grsec_enable_fifo;
473 +grsecurity_init(void)
475 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
476 +#ifndef CONFIG_GRKERNSEC_SYSCTL
479 +#ifdef CONFIG_GRKERNSEC_LINK
480 + grsec_enable_link = 1;
482 +#ifdef CONFIG_GRKERNSEC_FIFO
483 + grsec_enable_fifo = 1;
489 diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c
490 --- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
491 +++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200
493 +#include <linux/kernel.h>
494 +#include <linux/sched.h>
495 +#include <linux/fs.h>
496 +#include <linux/file.h>
497 +#include <linux/grinternal.h>
500 +gr_handle_follow_link(const struct inode *parent,
501 + const struct inode *inode,
502 + const struct dentry *dentry, const struct vfsmount *mnt)
504 +#ifdef CONFIG_GRKERNSEC_LINK
505 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
506 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
507 + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
515 +gr_handle_hardlink(const struct dentry *dentry,
516 + const struct vfsmount *mnt,
517 + struct inode *inode, const int mode, const char *to)
519 +#ifdef CONFIG_GRKERNSEC_LINK
520 + if (grsec_enable_link && current->fsuid != inode->i_uid &&
521 + (!S_ISREG(mode) || (mode & S_ISUID) ||
522 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
523 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
524 + !capable(CAP_FOWNER) && current->uid) {
530 diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c
531 --- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
532 +++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200
534 +#include <linux/kernel.h>
535 +#include <linux/module.h>
536 +#include <linux/sched.h>
537 +#include <linux/file.h>
538 +#include <linux/net.h>
539 +#include <linux/in.h>
540 +#include <linux/ip.h>
541 +#include <net/sock.h>
542 +#include <net/inet_sock.h>
543 +#include <linux/grsecurity.h>
544 +#include <linux/grinternal.h>
546 +#ifdef CONFIG_GRKERNSEC
547 +#define gr_conn_table_size 32749
548 +struct conn_table_entry {
549 + struct conn_table_entry *next;
550 + struct signal_struct *sig;
553 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
554 +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
556 +extern const char * gr_socktype_to_name(unsigned char type);
557 +extern const char * gr_proto_to_name(unsigned char proto);
559 +static __inline__ int
560 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
562 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
565 +static __inline__ int
566 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
567 + __u16 sport, __u16 dport)
569 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
570 + sig->gr_sport == sport && sig->gr_dport == dport))
576 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
578 + struct conn_table_entry **match;
579 + unsigned int index;
581 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
582 + sig->gr_sport, sig->gr_dport,
583 + gr_conn_table_size);
587 + match = &gr_conn_table[index];
588 + newent->next = *match;
594 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
596 + struct conn_table_entry *match, *last = NULL;
597 + unsigned int index;
599 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
600 + sig->gr_sport, sig->gr_dport,
601 + gr_conn_table_size);
603 + match = gr_conn_table[index];
604 + while (match && !conn_match(match->sig,
605 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
608 + match = match->next;
613 + last->next = match->next;
615 + gr_conn_table[index] = NULL;
622 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
623 + __u16 sport, __u16 dport)
625 + struct conn_table_entry *match;
626 + unsigned int index;
628 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
630 + match = gr_conn_table[index];
631 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
632 + match = match->next;
642 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
644 +#ifdef CONFIG_GRKERNSEC
645 + struct signal_struct *sig = task->signal;
646 + struct conn_table_entry *newent;
648 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
649 + if (newent == NULL)
651 + /* no bh lock needed since we are called with bh disabled */
652 + spin_lock(&gr_conn_table_lock);
653 + gr_del_task_from_ip_table_nolock(sig);
654 + sig->gr_saddr = inet->rcv_saddr;
655 + sig->gr_daddr = inet->daddr;
656 + sig->gr_sport = inet->sport;
657 + sig->gr_dport = inet->dport;
658 + gr_add_to_task_ip_table_nolock(sig, newent);
659 + spin_unlock(&gr_conn_table_lock);
664 +void gr_del_task_from_ip_table(struct task_struct *task)
666 +#ifdef CONFIG_GRKERNSEC
667 + spin_lock(&gr_conn_table_lock);
668 + gr_del_task_from_ip_table_nolock(task->signal);
669 + spin_unlock(&gr_conn_table_lock);
675 +gr_attach_curr_ip(const struct sock *sk)
677 +#ifdef CONFIG_GRKERNSEC
678 + struct signal_struct *p, *set;
679 + const struct inet_sock *inet = inet_sk(sk);
681 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
684 + set = current->signal;
686 + spin_lock_bh(&gr_conn_table_lock);
687 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
688 + inet->dport, inet->sport);
689 + if (unlikely(p != NULL)) {
690 + set->curr_ip = p->curr_ip;
691 + set->used_accept = 1;
692 + gr_del_task_from_ip_table_nolock(p);
693 + spin_unlock_bh(&gr_conn_table_lock);
696 + spin_unlock_bh(&gr_conn_table_lock);
698 + set->curr_ip = inet->daddr;
699 + set->used_accept = 1;
704 diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c
705 --- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
706 +++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200
708 +#include <linux/kernel.h>
709 +#include <linux/sched.h>
710 +#include <linux/sysctl.h>
711 +#include <linux/grsecurity.h>
712 +#include <linux/grinternal.h>
715 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
717 +#ifdef CONFIG_GRKERNSEC_SYSCTL
718 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
725 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
726 +ctl_table grsecurity_table[] = {
727 +#ifdef CONFIG_GRKERNSEC_SYSCTL
728 +#ifdef CONFIG_GRKERNSEC_LINK
730 + .ctl_name = CTL_UNNUMBERED,
731 + .procname = "linking_restrictions",
732 + .data = &grsec_enable_link,
733 + .maxlen = sizeof(int),
735 + .proc_handler = &proc_dointvec,
738 +#ifdef CONFIG_GRKERNSEC_FIFO
740 + .ctl_name = CTL_UNNUMBERED,
741 + .procname = "fifo_restrictions",
742 + .data = &grsec_enable_fifo,
743 + .maxlen = sizeof(int),
745 + .proc_handler = &proc_dointvec,
749 + .ctl_name = CTL_UNNUMBERED,
750 + .procname = "grsec_lock",
751 + .data = &grsec_lock,
752 + .maxlen = sizeof(int),
754 + .proc_handler = &proc_dointvec,
760 diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
761 --- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
762 +++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200
765 +# grecurity configuration
773 + select CRYPTO_SHA256
775 + select SECURITY_CAPABILITIES
777 + If you say Y here, you will be able to configure many features
778 + that will enhance the security of your system. It is highly
779 + recommended that you say Y here and read through the help
780 + for each option so that you fully understand the features and
781 + can evaluate their usefulness for your machine.
783 +menu "Filesystem Protections"
784 +depends on GRKERNSEC
786 +config GRKERNSEC_PROC
787 + bool "Proc restrictions"
789 + If you say Y here, the permissions of the /proc filesystem
790 + will be altered to enhance system security and privacy. You MUST
791 + choose either a user only restriction or a user and group restriction.
792 + Depending upon the option you choose, you can either restrict users to
793 + see only the processes they themselves run, or choose a group that can
794 + view all processes and files normally restricted to root if you choose
795 + the "restrict to user only" option. NOTE: If you're running identd as
796 + a non-root user, you will have to run it as the group you specify here.
798 +config GRKERNSEC_PROC_USER
799 + bool "Restrict /proc to user only"
800 + depends on GRKERNSEC_PROC
802 + If you say Y here, non-root users will only be able to view their own
803 + processes, and restricts them from viewing network-related information,
804 + and viewing kernel symbol and module information.
806 +config GRKERNSEC_PROC_USERGROUP
807 + bool "Allow special group"
808 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
810 + If you say Y here, you will be able to select a group that will be
811 + able to view all processes, network-related information, and
812 + kernel and symbol information. This option is useful if you want
813 + to run identd as a non-root user.
815 +config GRKERNSEC_PROC_GID
816 + int "GID for special group"
817 + depends on GRKERNSEC_PROC_USERGROUP
820 +config GRKERNSEC_PROC_ADD
821 + bool "Additional restrictions"
822 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
824 + If you say Y here, additional restrictions will be placed on
825 + /proc that keep normal users from viewing device information and
826 + slabinfo information that could be useful for exploits.
828 +config GRKERNSEC_LINK
829 + bool "Linking restrictions"
831 + If you say Y here, /tmp race exploits will be prevented, since users
832 + will no longer be able to follow symlinks owned by other users in
833 + world-writable +t directories (i.e. /tmp), unless the owner of the
834 + symlink is the owner of the directory. users will also not be
835 + able to hardlink to files they do not own. If the sysctl option is
836 + enabled, a sysctl option with name "linking_restrictions" is created.
838 +config GRKERNSEC_FIFO
839 + bool "FIFO restrictions"
841 + If you say Y here, users will not be able to write to FIFOs they don't
842 + own in world-writable +t directories (i.e. /tmp), unless the owner of
843 + the FIFO is the same owner of the directory it's held in. If the sysctl
844 + option is enabled, a sysctl option with name "fifo_restrictions" is
847 +config GRKERNSEC_PROC_IPADDR
848 + bool "/proc/<pid>/ipaddr support"
850 + If you say Y here, a new entry will be added to each /proc/<pid>
851 + directory that contains the IP address of the person using the task.
852 + The IP is carried across local TCP and AF_UNIX stream sockets.
853 + This information can be useful for IDS/IPSes to perform remote response
854 + to a local attack. The entry is readable by only the owner of the
855 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
856 + the RBAC system), and thus does not create privacy concerns.
860 +config GRKERNSEC_SYSCTL
861 + bool "Sysctl support"
863 + If you say Y here, you will be able to change the options that
864 + grsecurity runs with at bootup, without having to recompile your
865 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
866 + to enable (1) or disable (0) various features. All the sysctl entries
867 + are mutable until the "grsec_lock" entry is set to a non-zero value.
868 + All features enabled in the kernel configuration are disabled at boot
869 + if you do not say Y to the "Turn on features by default" option.
870 + All options should be set at startup, and the grsec_lock entry should
871 + be set to a non-zero value after all the options are set.
872 + *THIS IS EXTREMELY IMPORTANT*
874 +config GRKERNSEC_SYSCTL_ON
875 + bool "Turn on features by default"
876 + depends on GRKERNSEC_SYSCTL
878 + If you say Y here, instead of having all features enabled in the
879 + kernel configuration disabled at boot time, the features will be
880 + enabled at boot time. It is recommended you say Y here unless
881 + there is some reason you would want all sysctl-tunable features to
882 + be disabled by default. As mentioned elsewhere, it is important
883 + to enable the grsec_lock entry once you have finished modifying
884 + the sysctl entries.
887 diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile
888 --- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
889 +++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200
891 +# All code in this directory and various hooks inserted throughout the kernel
892 +# are copyright Brad Spengler, and released under the GPL v2 or higher
894 +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
896 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o
898 +ifndef CONFIG_GRKERNSEC
899 +obj-y += grsec_disabled.o
902 diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h
903 --- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
904 +++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200
906 +#ifndef __GRINTERNAL_H
907 +#define __GRINTERNAL_H
909 +#ifdef CONFIG_GRKERNSEC
911 +#include <linux/fs.h>
913 +extern int grsec_enable_link;
914 +extern int grsec_enable_fifo;
915 +extern int grsec_lock;
920 diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h
921 --- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
922 +++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200
924 +#ifndef GR_SECURITY_H
925 +#define GR_SECURITY_H
926 +#include <linux/fs.h>
927 +#include <linux/binfmts.h>
929 +void gr_del_task_from_ip_table(struct task_struct *p);
931 +int gr_handle_follow_link(const struct inode *parent,
932 + const struct inode *inode,
933 + const struct dentry *dentry);
934 +int gr_handle_fifo(const struct dentry *dentry,
935 + const struct dentry *dir, const int flag,
936 + const int acc_mode);
937 +int gr_handle_hardlink(const struct dentry *dentry,
938 + struct inode *inode,
939 + const int mode, const char *to);
942 diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h
943 --- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200
944 +++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200
945 @@ -544,6 +544,15 @@ struct signal_struct {
947 struct tty_audit_buf *tty_audit_buf;
950 +#ifdef CONFIG_GRKERNSEC
960 /* Context switch must be unlocked if interrupts are to be enabled */
961 diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h
962 --- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200
963 +++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200
964 @@ -165,8 +165,11 @@ enum
965 KERN_MAX_LOCK_DEPTH=74,
966 KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
967 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
969 +#ifdef CONFIG_GRKERNSEC
970 + KERN_GRSECURITY=98, /* grsecurity */
977 diff -urNp linux-2.6.26.orig/kernel/configs.c linux-2.6.26/kernel/configs.c
978 --- linux-2.6.26.orig/kernel/configs.c 2008-09-01 11:43:58.000000000 +0200
979 +++ linux-2.6.26/kernel/configs.c 2008-09-02 12:17:21.000000000 +0200
980 @@ -79,8 +79,19 @@ static int __init ikconfig_init(void)
981 struct proc_dir_entry *entry;
983 /* create the current config file */
984 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
985 +#ifdef CONFIG_GRKERNSEC_PROC_USER
986 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
987 + &ikconfig_file_ops);
988 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
989 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
990 + &ikconfig_file_ops);
993 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
1000 diff -urNp linux-2.6.26.orig/kernel/exit.c linux-2.6.26/kernel/exit.c
1001 --- linux-2.6.26.orig/kernel/exit.c 2008-09-01 11:43:58.000000000 +0200
1002 +++ linux-2.6.26/kernel/exit.c 2008-09-02 12:17:21.000000000 +0200
1004 #include <linux/vs_pid.h>
1005 #include <linux/vserver/global.h>
1006 #include <trace/sched.h>
1007 +#include <linux/grsecurity.h>
1009 #include <asm/uaccess.h>
1010 #include <asm/unistd.h>
1011 @@ -137,6 +138,7 @@ static void __exit_signal(struct task_st
1013 flush_sigqueue(&tsk->pending);
1015 + gr_del_task_from_ip_table(tsk);
1017 tsk->sighand = NULL;
1018 spin_unlock(&sighand->siglock);
1019 diff -urNp linux-2.6.26.orig/kernel/kallsyms.c linux-2.6.26/kernel/kallsyms.c
1020 --- linux-2.6.26.orig/kernel/kallsyms.c 2008-09-01 11:43:58.000000000 +0200
1021 +++ linux-2.6.26/kernel/kallsyms.c 2008-09-02 12:17:21.000000000 +0200
1022 @@ -472,7 +472,15 @@ static const struct file_operations kall
1024 static int __init kallsyms_init(void)
1026 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
1027 +#ifdef CONFIG_GRKERNSEC_PROC_USER
1028 + proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations);
1029 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
1030 + proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations);
1033 proc_create("kallsyms", 0444, NULL, &kallsyms_operations);
1037 __initcall(kallsyms_init);
1038 diff -urNp linux-2.6.26.orig/kernel/resource.c linux-2.6.26/kernel/resource.c
1039 --- linux-2.6.26.orig/kernel/resource.c 2008-09-01 11:43:58.000000000 +0200
1040 +++ linux-2.6.26/kernel/resource.c 2008-09-02 12:17:21.000000000 +0200
1041 @@ -131,8 +131,18 @@ static const struct file_operations proc
1043 static int __init ioresources_init(void)
1045 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
1046 +#ifdef CONFIG_GRKERNSEC_PROC_USER
1047 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
1048 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
1049 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
1050 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
1051 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
1054 proc_create("ioports", 0, NULL, &proc_ioports_operations);
1055 proc_create("iomem", 0, NULL, &proc_iomem_operations);
1059 __initcall(ioresources_init);
1060 diff -urNp linux-2.6.26.orig/kernel/sysctl.c linux-2.6.26/kernel/sysctl.c
1061 --- linux-2.6.26.orig/kernel/sysctl.c 2008-09-01 11:43:58.000000000 +0200
1062 +++ linux-2.6.26/kernel/sysctl.c 2008-09-02 12:17:21.000000000 +0200
1064 static int deprecated_sysctl_warning(struct __sysctl_args *args);
1066 #if defined(CONFIG_SYSCTL)
1067 +#include <linux/grsecurity.h>
1068 +#include <linux/grinternal.h>
1070 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
1073 /* External variables not in a header file. */
1075 @@ -153,6 +158,7 @@ static int proc_do_cad_pid(struct ctl_ta
1076 static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
1077 void __user *buffer, size_t *lenp, loff_t *ppos);
1079 +extern ctl_table grsecurity_table[];
1081 static struct ctl_table root_table[];
1082 static struct ctl_table_root sysctl_table_root;
1083 @@ -823,6 +829,15 @@ static struct ctl_table kern_table[] = {
1084 .child = key_sysctls,
1088 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
1090 + .ctl_name = CTL_UNNUMBERED,
1091 + .procname = "grsecurity",
1093 + .child = grsecurity_table,
1097 * NOTE: do not add new entries to this table unless you have read
1098 * Documentation/sysctl/ctl_unnumbered.txt
1099 @@ -1585,6 +1600,10 @@ int sysctl_perm(struct ctl_table_root *r
1103 + if (table->parent != NULL && table->parent->procname != NULL &&
1104 + table->procname != NULL &&
1105 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
1107 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
1110 diff -urNp linux-2.6.26.orig/Makefile linux-2.6.26/Makefile
1111 --- linux-2.6.26.orig/Makefile 2008-09-01 11:44:01.000000000 +0200
1112 +++ linux-2.6.26/Makefile 2008-09-02 12:17:21.000000000 +0200
1113 @@ -607,7 +607,7 @@ export mod_strip_cmd
1116 ifeq ($(KBUILD_EXTMOD),)
1117 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
1118 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
1120 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
1121 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
1122 diff -urNp linux-2.6.26.orig/net/ipv4/inet_hashtables.c linux-2.6.26/net/ipv4/inet_hashtables.c
1123 --- linux-2.6.26.orig/net/ipv4/inet_hashtables.c 2008-09-01 11:43:37.000000000 +0200
1124 +++ linux-2.6.26/net/ipv4/inet_hashtables.c 2008-09-02 12:17:21.000000000 +0200
1126 #include <linux/sched.h>
1127 #include <linux/slab.h>
1128 #include <linux/wait.h>
1129 +#include <linux/grsecurity.h>
1131 #include <net/inet_connection_sock.h>
1132 #include <net/inet_hashtables.h>
1133 #include <net/route.h>
1136 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
1139 * Allocate and initialize a new local port bind bucket.
1140 * The bindhash mutex for snum's hash chain must be held here.
1141 @@ -484,6 +487,8 @@ ok:
1143 spin_unlock(&head->lock);
1145 + gr_update_task_in_ip_table(current, inet_sk(sk));
1148 inet_twsk_deschedule(tw, death_row);
1150 diff -urNp linux-2.6.26.orig/net/socket.c linux-2.6.26/net/socket.c
1151 --- linux-2.6.26.orig/net/socket.c 2008-09-01 11:43:36.000000000 +0200
1152 +++ linux-2.6.26/net/socket.c 2008-09-02 12:17:21.000000000 +0200
1154 #include <linux/audit.h>
1155 #include <linux/wireless.h>
1156 #include <linux/nsproxy.h>
1157 +#include <linux/in.h>
1159 #include <asm/uaccess.h>
1160 #include <asm/unistd.h>
1162 #include <linux/vs_inet.h>
1163 #include <linux/vs_inet6.h>
1165 +extern void gr_attach_curr_ip(const struct sock *sk);
1167 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
1168 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
1169 unsigned long nr_segs, loff_t pos);
1170 @@ -1502,6 +1505,7 @@ asmlinkage long sys_accept(int fd, struc
1173 security_socket_post_accept(sock, newsock);
1174 + gr_attach_curr_ip(newsock->sk);
1177 fput_light(sock->file, fput_needed);
1178 diff -urNp linux-2.6.26.orig/security/Kconfig linux-2.6.26/security/Kconfig
1179 --- linux-2.6.26.orig/security/Kconfig 2008-09-01 11:43:58.000000000 +0200
1180 +++ linux-2.6.26/security/Kconfig 2008-09-02 12:17:21.000000000 +0200
1183 menu "Security options"
1185 +source grsecurity/Kconfig
1188 bool "Enable access key retention support"