diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile --- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200 +++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200 @@ -81,7 +81,7 @@ # Export what is needed by arch/sparc/boot/Makefile export VMLINUX_INIT VMLINUX_MAIN VMLINUX_INIT := $(head-y) $(init-y) -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y) VMLINUX_MAIN += $(drivers-y) $(net-y) diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c --- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200 +++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200 @@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u kbd->kbdmode == VC_MEDIUMRAW) && value != KVAL(K_SAK)) return; /* SAK is allowed even in raw mode */ + +#if defined(CONFIG_GRKERNSEC_PROC) + { + void *func = fn_handler[value]; + if (func == fn_show_state || func == fn_show_ptregs || + func == fn_show_mem) + return; + } +#endif + fn_handler[value](vc); } diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c --- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200 +++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200 @@ -472,7 +472,16 @@ static const struct file_operations proc static int __init pci_proc_init(void) { struct pci_dev *dev = NULL; + +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#endif +#else proc_bus_pci_dir = proc_mkdir("bus/pci", NULL); +#endif proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig --- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200 @@ -926,12 +926,12 @@ config PROC_FS config PROC_KCORE bool "/proc/kcore support" if !ARM - depends on PROC_FS && MMU + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD config PROC_VMCORE bool "/proc/vmcore support (EXPERIMENTAL)" - depends on PROC_FS && CRASH_DUMP - default y + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC + default n help Exports the dump image of crashed kernel in ELF format. diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c --- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -740,6 +741,13 @@ static inline int do_follow_link(struct err = security_inode_follow_link(path->dentry, nd); if (err) goto loop; + + if (gr_handle_follow_link(path->dentry->d_parent->d_inode, + path->dentry->d_inode, path->dentry)) { + err = -EACCES; + goto loop; + } + current->link_count++; current->total_link_count++; nd->depth++; @@ -1925,6 +1933,12 @@ do_last: /* * It already exists. */ + + if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) { + error = -EACCES; + goto exit_mutex_unlock; + } + mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); @@ -2028,6 +2042,13 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; + + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode, + path.dentry)) { + error = -EACCES; + goto exit_dput; + } + error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only @@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; + + if (gr_handle_hardlink(old_path.dentry, old_path.dentry->d_inode, + old_path.dentry->d_inode->i_mode, to)) { + error = -EACCES; + goto out_dput; + } + error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c --- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200 @@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s return 0; } + +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +int proc_pid_ipaddr(struct task_struct *task, char *buffer) +{ + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); +} +#endif diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c --- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200 @@ -79,6 +79,8 @@ #include #include #include +#include + #include "internal.h" /* NOTE: @@ -1445,7 +1445,11 @@ rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = cred->egid; +#endif rcu_read_unlock(); } /* procfs is xid tagged */ @@ -1469,6 +1469,9 @@ struct inode *inode = dentry->d_inode; struct task_struct *task; const struct cred *cred; +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif generic_fillattr(inode, stat); @@ -1476,12 +1479,29 @@ stat->uid = 0; stat->gid = 0; task = pid_task(proc_pid(inode), PIDTYPE_PID); - if (task) { + if (task +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + && (!tmp->uid || (tmp->uid == task->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + || in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) +#endif + ) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || +#ifdef CONFIG_GRKERNSEC_PROC_USER + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || +#endif task_dumpable(task)) { cred = __task_cred(task); stat->uid = cred->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + stat->gid = CONFIG_GRKERNSEC_PROC_GID; +#else stat->gid = cred->egid; +#endif } } rcu_read_unlock(); @@ -1533,11 +1533,20 @@ if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || +#ifdef CONFIG_GRKERNSEC_PROC_USER + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || +#endif task_dumpable(task)) { rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = cred->egid; +#endif rcu_read_unlock(); } else { inode->i_uid = 0; @@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino struct nameidata *nd) { int rv; + struct task_struct *task; rv = generic_permission(inode, mask, NULL); - if (rv == 0) - return 0; + if (task_pid(current) == proc_pid(inode)) rv = 0; + + task = get_proc_task(inode); + if (task == NULL) + return rv; + + put_task_struct(task); + return rv; } @@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia if (!inode) goto out; +#ifdef CONFIG_GRKERNSEC_PROC_USER + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; @@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp, { unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode); +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif struct tgid_iter iter; struct pid_namespace *ns; @@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp, for (iter = next_tgid(ns, iter); iter.task; iter.tgid += 1, iter = next_tgid(ns, iter)) { +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + if (tmp->uid && (iter.task->uid != tmp->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) +#endif + continue; + filp->f_pos = iter.tgid + TGID_OFFSET; if (!vx_proc_task_visible(iter.task)) continue; @@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s #ifdef CONFIG_FAULT_INJECTION REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject), #endif +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + INF("ipaddr", S_IRUSR, pid_ipaddr), +#endif }; static int proc_tid_base_readdir(struct file * filp, diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c --- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200 @@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = de->gid; +#endif } if (de->vx_flags) PROC_I(inode)->vx_flags = de->vx_flags; diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h --- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200 @@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil struct pid *pid, struct task_struct *task); extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer); +#endif extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); --- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100 +++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100 @@ -23,7 +23,15 @@ static int __init proc_cmdline_init(void) { - proc_create("cmdline", 0, NULL, &cmdline_proc_fops); + int gr_mode = 0; +#ifdef CONFIG_GRKERNSEC_PROC_USER + gr_mode = S_IRUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + gr_mode = S_IRUSR | S_IRGRP; +#endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD + proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops); +#endif return 0; } module_init(proc_cmdline_init); --- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100 +++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100 @@ -64,7 +64,13 @@ static int __init proc_devices_init(void) { - proc_create("devices", 0, NULL, &proc_devinfo_operations); + int gr_mode = 0; +#ifdef CONFIG_GRKERNSEC_PROC_USER + gr_mode = S_IRUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + gr_mode = S_IRUSR | S_IRGRP; +#endif + proc_create("devices", gr_mode, NULL, &proc_devinfo_operations); return 0; } module_init(proc_devices_init); --- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100 +++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100 @@ -404,10 +404,12 @@ static int __init proc_kcore_init(void) { +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD) proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations); if (proc_root_kcore) proc_root_kcore->size = (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE; +#endif return 0; } module_init(proc_kcore_init); diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c --- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200 +++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200 @@ -139,7 +139,15 @@ void __init proc_root_init(void) #ifdef CONFIG_PROC_DEVICETREE proc_device_tree_init(); #endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#endif +#else proc_mkdir("bus", NULL); +#endif proc_sys_init(); proc_vx_init(); } diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c --- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,6 @@ +void +grsecurity_init(void) +{ + return; +} + diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c --- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,20 @@ +#include +#include +#include +#include +#include + +int +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, + const struct dentry *dir, const int flag, const int acc_mode) +{ +#ifdef CONFIG_GRKERNSEC_FIFO + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && + (current->fsuid != dentry->d_inode->i_uid)) { + return -EACCES; + } +#endif + return 0; +} diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c --- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,29 @@ +#include +#include +#include +#include +#include +#include +#include + +int grsec_enable_link; +int grsec_enable_fifo; +int grsec_lock; + +void +grsecurity_init(void) +{ +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON) +#ifndef CONFIG_GRKERNSEC_SYSCTL + grsec_lock = 1; +#endif +#ifdef CONFIG_GRKERNSEC_LINK + grsec_enable_link = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + grsec_enable_fifo = 1; +#endif +#endif + + return; +} diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c --- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,37 @@ +#include +#include +#include +#include +#include + +int +gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && S_ISLNK(inode->i_mode) && + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { + return -EACCES; + } +#endif + return 0; +} + +int +gr_handle_hardlink(const struct dentry *dentry, + const struct vfsmount *mnt, + struct inode *inode, const int mode, const char *to) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && current->fsuid != inode->i_uid && + (!S_ISREG(mode) || (mode & S_ISUID) || + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) && + !capable(CAP_FOWNER) && current->uid) { + return -EPERM; + } +#endif + return 0; +} diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c --- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,170 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef CONFIG_GRKERNSEC +#define gr_conn_table_size 32749 +struct conn_table_entry { + struct conn_table_entry *next; + struct signal_struct *sig; +}; + +struct conn_table_entry *gr_conn_table[gr_conn_table_size]; +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED; + +extern const char * gr_socktype_to_name(unsigned char type); +extern const char * gr_proto_to_name(unsigned char proto); + +static __inline__ int +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size) +{ + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size); +} + +static __inline__ int +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, + __u16 sport, __u16 dport) +{ + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr && + sig->gr_sport == sport && sig->gr_dport == dport)) + return 1; + else + return 0; +} + +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent) +{ + struct conn_table_entry **match; + unsigned int index; + + index = conn_hash(sig->gr_saddr, sig->gr_daddr, + sig->gr_sport, sig->gr_dport, + gr_conn_table_size); + + newent->sig = sig; + + match = &gr_conn_table[index]; + newent->next = *match; + *match = newent; + + return; +} + +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig) +{ + struct conn_table_entry *match, *last = NULL; + unsigned int index; + + index = conn_hash(sig->gr_saddr, sig->gr_daddr, + sig->gr_sport, sig->gr_dport, + gr_conn_table_size); + + match = gr_conn_table[index]; + while (match && !conn_match(match->sig, + sig->gr_saddr, sig->gr_daddr, sig->gr_sport, + sig->gr_dport)) { + last = match; + match = match->next; + } + + if (match) { + if (last) + last->next = match->next; + else + gr_conn_table[index] = NULL; + kfree(match); + } + + return; +} + +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr, + __u16 sport, __u16 dport) +{ + struct conn_table_entry *match; + unsigned int index; + + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size); + + match = gr_conn_table[index]; + while (match && !conn_match(match->sig, saddr, daddr, sport, dport)) + match = match->next; + + if (match) + return match->sig; + else + return NULL; +} + +#endif + +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet) +{ +#ifdef CONFIG_GRKERNSEC + struct signal_struct *sig = task->signal; + struct conn_table_entry *newent; + + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC); + if (newent == NULL) + return; + /* no bh lock needed since we are called with bh disabled */ + spin_lock(&gr_conn_table_lock); + gr_del_task_from_ip_table_nolock(sig); + sig->gr_saddr = inet->rcv_saddr; + sig->gr_daddr = inet->daddr; + sig->gr_sport = inet->sport; + sig->gr_dport = inet->dport; + gr_add_to_task_ip_table_nolock(sig, newent); + spin_unlock(&gr_conn_table_lock); +#endif + return; +} + +void gr_del_task_from_ip_table(struct task_struct *task) +{ +#ifdef CONFIG_GRKERNSEC + spin_lock(&gr_conn_table_lock); + gr_del_task_from_ip_table_nolock(task->signal); + spin_unlock(&gr_conn_table_lock); +#endif + return; +} + +void +gr_attach_curr_ip(const struct sock *sk) +{ +#ifdef CONFIG_GRKERNSEC + struct signal_struct *p, *set; + const struct inet_sock *inet = inet_sk(sk); + + if (unlikely(sk->sk_protocol != IPPROTO_TCP)) + return; + + set = current->signal; + + spin_lock_bh(&gr_conn_table_lock); + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr, + inet->dport, inet->sport); + if (unlikely(p != NULL)) { + set->curr_ip = p->curr_ip; + set->used_accept = 1; + gr_del_task_from_ip_table_nolock(p); + spin_unlock_bh(&gr_conn_table_lock); + return; + } + spin_unlock_bh(&gr_conn_table_lock); + + set->curr_ip = inet->daddr; + set->used_accept = 1; +#endif + return; +} + diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c --- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,52 @@ +#include +#include +#include +#include +#include + +int +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op) +{ +#ifdef CONFIG_GRKERNSEC_SYSCTL + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) { + return -EACCES; + } +#endif + return 0; +} + +#if defined(CONFIG_GRKERNSEC_SYSCTL) +ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_SYSCTL +#ifdef CONFIG_GRKERNSEC_LINK + { + .ctl_name = CTL_UNNUMBERED, + .procname = "linking_restrictions", + .data = &grsec_enable_link, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + { + .ctl_name = CTL_UNNUMBERED, + .procname = "fifo_restrictions", + .data = &grsec_enable_fifo, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif + { + .ctl_name = CTL_UNNUMBERED, + .procname = "grsec_lock", + .data = &grsec_lock, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif + { .ctl_name = 0 } +}; +#endif diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig --- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,123 @@ +# +# grecurity configuration +# + +menu "Grsecurity" + +config GRKERNSEC + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 + select SECURITY + select SECURITY_CAPABILITIES + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly + recommended that you say Y here and read through the help + for each option so that you fully understand the features and + can evaluate their usefulness for your machine. + +menu "Filesystem Protections" +depends on GRKERNSEC + +config GRKERNSEC_PROC + bool "Proc restrictions" + help + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. You MUST + choose either a user only restriction or a user and group restriction. + Depending upon the option you choose, you can either restrict users to + see only the processes they themselves run, or choose a group that can + view all processes and files normally restricted to root if you choose + the "restrict to user only" option. NOTE: If you're running identd as + a non-root user, you will have to run it as the group you specify here. + +config GRKERNSEC_PROC_USER + bool "Restrict /proc to user only" + depends on GRKERNSEC_PROC + help + If you say Y here, non-root users will only be able to view their own + processes, and restricts them from viewing network-related information, + and viewing kernel symbol and module information. + +config GRKERNSEC_PROC_USERGROUP + bool "Allow special group" + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER + help + If you say Y here, you will be able to select a group that will be + able to view all processes, network-related information, and + kernel and symbol information. This option is useful if you want + to run identd as a non-root user. + +config GRKERNSEC_PROC_GID + int "GID for special group" + depends on GRKERNSEC_PROC_USERGROUP + default 1001 + +config GRKERNSEC_PROC_ADD + bool "Additional restrictions" + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP + help + If you say Y here, additional restrictions will be placed on + /proc that keep normal users from viewing device information and + slabinfo information that could be useful for exploits. + +config GRKERNSEC_LINK + bool "Linking restrictions" + help + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in + world-writable +t directories (i.e. /tmp), unless the owner of the + symlink is the owner of the directory. users will also not be + able to hardlink to files they do not own. If the sysctl option is + enabled, a sysctl option with name "linking_restrictions" is created. + +config GRKERNSEC_FIFO + bool "FIFO restrictions" + help + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writable +t directories (i.e. /tmp), unless the owner of + the FIFO is the same owner of the directory it's held in. If the sysctl + option is enabled, a sysctl option with name "fifo_restrictions" is + created. + +config GRKERNSEC_PROC_IPADDR + bool "/proc//ipaddr support" + help + If you say Y here, a new entry will be added to each /proc/ + directory that contains the IP address of the person using the task. + The IP is carried across local TCP and AF_UNIX stream sockets. + This information can be useful for IDS/IPSes to perform remote response + to a local attack. The entry is readable by only the owner of the + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via + the RBAC system), and thus does not create privacy concerns. + +endmenu + +config GRKERNSEC_SYSCTL + bool "Sysctl support" + help + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your + kernel. You can echo values to files in /proc/sys/kernel/grsecurity + to enable (1) or disable (0) various features. All the sysctl entries + are mutable until the "grsec_lock" entry is set to a non-zero value. + All features enabled in the kernel configuration are disabled at boot + if you do not say Y to the "Turn on features by default" option. + All options should be set at startup, and the grsec_lock entry should + be set to a non-zero value after all the options are set. + *THIS IS EXTREMELY IMPORTANT* + +config GRKERNSEC_SYSCTL_ON + bool "Turn on features by default" + depends on GRKERNSEC_SYSCTL + help + If you say Y here, instead of having all features enabled in the + kernel configuration disabled at boot time, the features will be + enabled at boot time. It is recommended you say Y here unless + there is some reason you would want all sysctl-tunable features to + be disabled by default. As mentioned elsewhere, it is important + to enable the grsec_lock entry once you have finished modifying + the sysctl entries. + +endmenu diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile --- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,11 @@ +# All code in this directory and various hooks inserted throughout the kernel +# are copyright Brad Spengler, and released under the GPL v2 or higher + +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o + +obj-$(CONFIG_GRKERNSEC) += grsec_init.o + +ifndef CONFIG_GRKERNSEC +obj-y += grsec_disabled.o +endif + diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h --- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,14 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + +#ifdef CONFIG_GRKERNSEC + +#include + +extern int grsec_enable_link; +extern int grsec_enable_fifo; +extern int grsec_lock; + +#endif + +#endif diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h --- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200 @@ -0,0 +1,18 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include +#include + +void gr_del_task_from_ip_table(struct task_struct *p); + +int gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry); +int gr_handle_fifo(const struct dentry *dentry, + const struct dentry *dir, const int flag, + const int acc_mode); +int gr_handle_hardlink(const struct dentry *dentry, + struct inode *inode, + const int mode, const char *to); + +#endif diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h --- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200 +++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200 @@ -544,6 +544,15 @@ struct signal_struct { unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; #endif + +#ifdef CONFIG_GRKERNSEC + u32 curr_ip; + u32 gr_saddr; + u32 gr_daddr; + u16 gr_sport; + u16 gr_dport; + u8 used_accept:1; +#endif }; /* Context switch must be unlocked if interrupts are to be enabled */ diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h --- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200 +++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200 @@ -165,8 +165,11 @@ enum KERN_MAX_LOCK_DEPTH=74, KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */ KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */ -}; +#ifdef CONFIG_GRKERNSEC + KERN_GRSECURITY=98, /* grsecurity */ +#endif +}; /* CTL_VM names: */ diff -urNp linux-2.6.26.orig/kernel/configs.c linux-2.6.26/kernel/configs.c --- linux-2.6.26.orig/kernel/configs.c 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/kernel/configs.c 2008-09-02 12:17:21.000000000 +0200 @@ -79,8 +79,19 @@ static int __init ikconfig_init(void) struct proc_dir_entry *entry; /* create the current config file */ +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL, + &ikconfig_file_ops); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL, + &ikconfig_file_ops); +#endif +#else entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL, &ikconfig_file_ops); +#endif + if (!entry) return -ENOMEM; diff -urNp linux-2.6.26.orig/kernel/exit.c linux-2.6.26/kernel/exit.c --- linux-2.6.26.orig/kernel/exit.c 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/kernel/exit.c 2008-09-02 12:17:21.000000000 +0200 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include @@ -137,6 +138,7 @@ static void __exit_signal(struct task_st */ flush_sigqueue(&tsk->pending); + gr_del_task_from_ip_table(tsk); tsk->signal = NULL; tsk->sighand = NULL; spin_unlock(&sighand->siglock); diff -urNp linux-2.6.26.orig/kernel/kallsyms.c linux-2.6.26/kernel/kallsyms.c --- linux-2.6.26.orig/kernel/kallsyms.c 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/kernel/kallsyms.c 2008-09-02 12:17:21.000000000 +0200 @@ -472,7 +472,15 @@ static const struct file_operations kall static int __init kallsyms_init(void) { +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations); +#endif +#else proc_create("kallsyms", 0444, NULL, &kallsyms_operations); +#endif return 0; } __initcall(kallsyms_init); diff -urNp linux-2.6.26.orig/kernel/resource.c linux-2.6.26/kernel/resource.c --- linux-2.6.26.orig/kernel/resource.c 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/kernel/resource.c 2008-09-02 12:17:21.000000000 +0200 @@ -131,8 +131,18 @@ static const struct file_operations proc static int __init ioresources_init(void) { +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations); + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations); + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations); +#endif +#else proc_create("ioports", 0, NULL, &proc_ioports_operations); proc_create("iomem", 0, NULL, &proc_iomem_operations); +#endif return 0; } __initcall(ioresources_init); diff -urNp linux-2.6.26.orig/kernel/sysctl.c linux-2.6.26/kernel/sysctl.c --- linux-2.6.26.orig/kernel/sysctl.c 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/kernel/sysctl.c 2008-09-02 12:17:21.000000000 +0200 @@ -59,6 +59,11 @@ static int deprecated_sysctl_warning(struct __sysctl_args *args); #if defined(CONFIG_SYSCTL) +#include +#include + +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, + const int op); /* External variables not in a header file. */ extern int C_A_D; @@ -153,6 +158,7 @@ static int proc_do_cad_pid(struct ctl_ta static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp, void __user *buffer, size_t *lenp, loff_t *ppos); #endif +extern ctl_table grsecurity_table[]; static struct ctl_table root_table[]; static struct ctl_table_root sysctl_table_root; @@ -823,6 +829,15 @@ static struct ctl_table kern_table[] = { .child = key_sysctls, }, #endif + +#if defined(CONFIG_GRKERNSEC_SYSCTL) + { + .ctl_name = CTL_UNNUMBERED, + .procname = "grsecurity", + .mode = 0500, + .child = grsecurity_table, + }, +#endif /* * NOTE: do not add new entries to this table unless you have read * Documentation/sysctl/ctl_unnumbered.txt @@ -1585,6 +1600,10 @@ int sysctl_perm(struct ctl_table_root *r int error; int mode; + if (table->parent != NULL && table->parent->procname != NULL && + table->procname != NULL && + gr_handle_sysctl_mod(table->parent->procname, table->procname, op)) + return -EACCES; error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC)); if (error) return error; diff -urNp linux-2.6.26.orig/Makefile linux-2.6.26/Makefile --- linux-2.6.26.orig/Makefile 2008-09-01 11:44:01.000000000 +0200 +++ linux-2.6.26/Makefile 2008-09-02 12:17:21.000000000 +0200 @@ -607,7 +607,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ diff -urNp linux-2.6.26.orig/net/ipv4/inet_hashtables.c linux-2.6.26/net/ipv4/inet_hashtables.c --- linux-2.6.26.orig/net/ipv4/inet_hashtables.c 2008-09-01 11:43:37.000000000 +0200 +++ linux-2.6.26/net/ipv4/inet_hashtables.c 2008-09-02 12:17:21.000000000 +0200 @@ -18,12 +18,15 @@ #include #include #include +#include #include #include #include #include +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet); + /* * Allocate and initialize a new local port bind bucket. * The bindhash mutex for snum's hash chain must be held here. @@ -484,6 +487,8 @@ ok: } spin_unlock(&head->lock); + gr_update_task_in_ip_table(current, inet_sk(sk)); + if (tw) { inet_twsk_deschedule(tw, death_row); inet_twsk_put(tw); diff -urNp linux-2.6.26.orig/net/socket.c linux-2.6.26/net/socket.c --- linux-2.6.26.orig/net/socket.c 2008-09-01 11:43:36.000000000 +0200 +++ linux-2.6.26/net/socket.c 2008-09-02 12:17:21.000000000 +0200 @@ -85,6 +85,7 @@ #include #include #include +#include #include #include @@ -98,6 +99,8 @@ #include #include +extern void gr_attach_curr_ip(const struct sock *sk); + static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov, unsigned long nr_segs, loff_t pos); @@ -1577,6 +1577,8 @@ fd_install(newfd, newfile); err = newfd; + gr_attach_curr_ip(newsock->sk); + out_put: fput_light(sock->file, fput_needed); out: diff -urNp linux-2.6.26.orig/security/Kconfig linux-2.6.26/security/Kconfig --- linux-2.6.26.orig/security/Kconfig 2008-09-01 11:43:58.000000000 +0200 +++ linux-2.6.26/security/Kconfig 2008-09-02 12:17:21.000000000 +0200 @@ -4,6 +4,8 @@ menu "Security options" +source grsecurity/Kconfig + config KEYS bool "Enable access key retention support" help