linux-2.4.20-grsecurity-1.9.9-rc3-kmem.patch

   1 diff -Nur linux-2.4.20.org/drivers/char/mem.c linux-2.4.20/drivers/char/mem.c
   2 --- linux-2.4.20.org/drivers/char/mem.c Sat Feb  1 11:29:04 2003
   3 +++ linux-2.4.20/drivers/char/mem.c     Sat Feb  1 11:44:42 2003
   4 @@ -115,10 +115,10 @@
   5         unsigned long p = *ppos;
   6         unsigned long end_mem;
   7
   8 -#ifdef CONFIG_GRKERNSEC_KMEM
   9 +if(grsec_secure_kmem){
  10         gr_handle_mem_write();
  11         return -EPERM;
  12 -#endif
  13 +}
  14
  15         end_mem = __pa(high_memory);
  16         if (p >= end_mem)
  17 @@ -192,10 +192,10 @@
  18  {
  19         unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
  20
  21 -#ifdef CONFIG_GRKERNSEC_KMEM
  22 +if (grsec_secure_kmem){
  23         if (gr_handle_mem_mmap(offset, vma))
  24                 return -EPERM;
  25 -#endif
  26 +}
  27
  28
  29         /*
  30 @@ -297,10 +297,10 @@
  31         ssize_t virtr = 0;
  32         char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
  33
  34 -#ifdef CONFIG_GRKERNSEC_KMEM
  35 +if(grsec_secure_kmem){
  36         gr_handle_kmem_write();
  37         return -EPERM;
  38 -#endif
  39 +}
  40
  41         if (p < (unsigned long) high_memory) {
  42                 wrote = count;
  43 @@ -534,10 +534,10 @@
  44
  45  static int open_port(struct inode * inode, struct file * filp)
  46  {
  47 -#ifdef CONFIG_GRKERNSEC_KMEM
  48 +if(grsec_secure_kmem){
  49         gr_handle_open_port();
  50         return -EPERM;
  51 -#endif
  52 +}
  53         return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
  54  }
  55
  56 diff -Nur linux-2.4.20.org/grsecurity/grsecurity.c linux-2.4.20/grsecurity/grsecurity.c
  57 --- linux-2.4.20.org/grsecurity/grsecurity.c    Sat Feb  1 11:29:04 2003
  58 +++ linux-2.4.20/grsecurity/grsecurity.c        Sat Feb  1 11:40:46 2003
  59 @@ -56,6 +56,7 @@
  60  int grsec_socket_client_gid;
  61  int grsec_enable_socket_server;
  62  int grsec_socket_server_gid;
  63 +int grsec_secure_kmem;
  64  int grsec_lock;
  65
  66  /*
  67 @@ -174,6 +175,9 @@
  68  grsec_enable_socket_server = 1;
  69  grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
  70  #endif
  71 +#ifdef CONFIG_GRKERNSEC_KMEM
  72 +grsec_secure_kmem = 1;
  73 +#endif
  74  #endif
  75
  76  return;
  77 diff -Nur linux-2.4.20.org/include/linux/grinternal.h linux-2.4.20/include/linux/grinternal.h
  78 --- linux-2.4.20.org/include/linux/grinternal.h Sat Feb  1 11:29:04 2003
  79 +++ linux-2.4.20/include/linux/grinternal.h     Sat Feb  1 11:39:19 2003
  80 @@ -63,6 +63,7 @@
  81  extern int grsec_enable_audit_ipc;
  82  extern int grsec_enable_mount;
  83  extern int grsec_enable_chdir;
  84 +extern int grsec_secure_kmem;
  85  extern int grsec_lock;
  86
  87  extern struct task_struct *child_reaper;
  88 diff -Nur linux-2.4.20.org/kernel/sysctl.c linux-2.4.20/kernel/sysctl.c
  89 --- linux-2.4.20.org/kernel/sysctl.c    Sat Feb  1 11:29:04 2003
  90 +++ linux-2.4.20/kernel/sysctl.c        Sat Feb  1 11:40:06 2003
  91 @@ -281,7 +281,7 @@
  92  GS_RANDPING, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
  93  GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_TTY, GS_TTYS,
  94  GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC,
  95 -GS_FINDTASK, GS_LOCK};
  96 +GS_FINDTASK, GS_LOCK, GS_KMEM};
  97
  98  static ctl_table grsecurity_table[] = {
  99         {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler},
 100 @@ -443,6 +443,10 @@
 101         {GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask,
 102          sizeof (int), 0600, NULL, &proc_dointvec},
 103  #endif
 104 +#ifdef CONFIG_GRKERNSEC_KMEM
 105 +       {GS_FINDTASK, "kmem", &grsec_secure_kmem,
 106 +        sizeof (int), 0600, NULL, &proc_dointvec},
 107 +#endif
 108         {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
 109          &proc_dointvec},
 110  #endif