diff -urN linux/Documentation/Configure.help linux.grsec/Documentation/Configure.help --- linux/Documentation/Configure.help Sun Sep 30 01:30:58 2001 +++ linux.grsec/Documentation/Configure.help Sun Sep 30 01:54:18 2001 @@ -18157,6 +18157,361 @@ boards supported by this driver, and for further information on the use of this driver. +Non-executable Stack +CONFIG_GRKERNSEC_STACK + If you say Y here, your system will not allow execution of + code on the stack, making buffer overflow exploitation more difficult. + Exploits will have to dabble in more obscure methods of + exploitation(bss,got,heap..) + +Gcc trampoline support +CONFIG_GRKERNSEC_STACK_GCC + If you say Y here, the system will support trampoline code along + with the stack protection. If you do not have any programs on + your system that require this (glibc 2.0 users must say YES to + this option) you may say no here. + +PaX protection +CONFIG_GRKERNSEC_PAX + By design the IA-32 architecture does not allow for protecting + memory pages against execution, i.e. if a page is readable (such + as the stack or heap) it is also executable. There is a well + known exploit technique that makes use of this fact and a common + programming mistake where an attacker can introduce executable + code of his choice somewhere in the attacked program's memory + (typically the stack or the heap) and then execute it. If the + attacked program was running with different (typically higher) + privileges than that of the attacker, then he can elevate his + own privilege level (e.g. get a root shell, write to files for + which he does not have write access to, etc). + + Since the implementation is software based, it comes with a + performance impact, you should evaluate your system carefully + before deciding to use this feature on production systems. + + Enabling this feature will enforce the non-executable flag on + memory pages thereby making it harder to execute 'foreign' code + in a program. This will also break programs that rely on the + old behaviour and expect that dynamically allocated memory via + the malloc() family of functions is executable (which it is not). + Notable examples are the XFree86 4.x server, the java runtime + and wine. + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. + +Emulate trampolines +CONFIG_GRKERNSEC_PAX_EMUTRAMP + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from + non-executable memory pages. Most notable examples are the + signal handler return code generated by the kernel itself and + the GCC trampolines. + + If you enabled CONFIG_PAX_PAGEEXEC then such programs will no + longer work under your kernel. As a remedy you can say Y here + and use the 'chpax' utility to enable trampoline emulation for + the affected programs yet still have the protection provided by + CONFIG_PAX_PAGEEXEC. Alternatively you can say N here and use + the 'chpax' utility to disable CONFIG_PAX_PAGEEXEC for the + affected files. + + NOTE: enabling this feature *may* open up a loophole in the + protection provided by CONFIG_PAX_PAGEEXEC that an attacker + could abuse. Therefore the best solution is to not have any + files on your system that would require this option. This can + be achieved by not using libc5 (which relies on the kernel + signal handler return code) and not using or rewriting programs + that make use of the nested function implementation of GCC. + Skilled users can just fix GCC itself so that it implements + nested function calls in a way that does not interfere with PaX. + +Restrict mprotect() +CONFIG_GRKERNSEC_PAX_MPROTECT + Enabling this option will prevent programs from changing the + executable status of memory pages that were not originally + created as executable. The kernel will also prevent programs + from making read-only executable pages writable again. + + You should say Y here to complete the protection provided by + the enforcement of the PAGE_EXEC flag (CONFIG_PAX_PAGEEXEC). + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. + +Randomize mmap() base +CONFIG_GRKERNSEC_PAX_RANDMMAP + By saying Y here the kernel will somewhat randomize the address + space of programs at each execution (the top of the stack, the + base address for mmap() requests that do not specify one themselves + and the base address of dynamic ELF executables). + + As a result all dynamically loaded libraries will appear at random + addresses and therefore be harder to exploit by a technique where + an attacker attempts to execute library code for his purposes + (e.g. spawn a shell from an exploited program that is running at + an elevated privilege level). + + Furthermore, if a program is relinked as a dynamic ELF file, its + base address will be randomized as well, completing the full + randomization of the address space. Attacking such programs becomes + a guess game. + + It is strongly recommended to say Y here even if CONFIG_PAX_PAGEEXEC + is not enabled as address space randomization has negligible impact + on performance yet it provides a very effective protection. + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. + + +Proc Restrictions +CONFIG_GRKERNSEC_PROC + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. Depending + upon the options you choose, you can either restrict users to see + only the processes they themselves run, or choose a group that can + not see all processes, but can view other proc entries that would + normally be restricted to the user. If you're running identd as + a non-root user, you will have to run it as the group you specify here. + +Linking restrictions +CONFIG_GRKERNSEC_LINK + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in + world-writeable +t directories (i.e. /tmp), unless the owner of the + symlink is the owner of the directory. users will also not be + able to hardlink to files they do not own. + +FIFO restrictions +CONFIG_GRKERNSEC_FIFO + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writeable +t directories (i.e. /tmp), unless the owner of + the FIFO is the same owner of the directory it's held in. + +Secure file descriptors +CONFIG_GRKERNSEC_FD + If you say Y here, set*id binaries will be protected from data spoofing + attacks (eg. making a program read /etc/shadow). The patches do this + by opening up /dev/null to any of the stdin, stdout, stderr file descriptors + for set*id binaries that are open and run by a user that is not the owner + of the file. + +Exec process limiting +CONFIG_GRKERNSEC_EXECVE + If you say Y here, users with a resource limit on processes will + have the value checked during execve() calls. The current system + only checks the system limit during fork() calls. + +Fork-bombing protection +CONFIG_GRKERNSEC_FORKBOMB + If you say Y here, you will be able to configure a group to add to users + on your system that you want to be unable to fork-bomb the system. + You will be able to specify a maximum process limit for the user and + set a rate limit for all forks under their uid. (Fork-bombing is a + tactic used by attackers that can be enacted in two ways, (1) loading + up thousands of processes until the system can't take any more (this + method can be stopped outside of the kernel with PAM, however we place + protection for it in the kernel to be more complete and reduce overhead), + and (2), by forking processes at a rapid rate, and then killing them + off, which cannot be protected against in the same way at tactic 1) + The rate limit is specified in forks allowed per second. Set this + limit low enough to stop tactic 2, but high enough to allow for + normal operation. + +Exec logging +CONFIG_GRKERNSEC_EXECLOG + If you say Y here, all execve() calls will be logged (since the + other exec*() calls are frontends to execve(), all execution + will be logged). Useful for shell-servers that like to keep track + of their users. + WARNING: This option when enabled will produce a LOT of logs, especially + on an active system. + +Set*id logging +CONFIG_GRKERNSEC_SUID + If you say Y here, all set*id() calls will be logged. Such information + could be useful when detecting a possible intrusion attempt. + +Signal logging +CONFIG_GRKERNSEC_SIGNAL + If you say Y here, certain important signals will be logged, such as + SIGSEGV, which will as a result inform you of when a error in a program + occured, which in some cases could mean a possible exploit attempt. + +BSD-style coredumps +CONFIG_GRKERNSEC_COREDUMP + If you say Y here, linux will use a style similar to BSD for + coredumps, core.processname. Not a security feature, just + a useful one. + +Fork failure logging +CONFIG_GRKERNSEC_FORKFAIL + If you say Y here, all failed fork() attempts will be logged. + This could suggest a fork bomb, or someone attempting to overstep + their process limit. + +Time change logging +CONFIG_GRKERNSEC_TIME + If you say Y here, any changes of the system clock will be logged. + +Secure keymap loading +CONFIG_GRKERNSEC_KBMAP + If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being + called by unprivileged users will be denied. If you answer N, + everyone will be able to modify keyboard bindings. + + Saying N makes hacking root account easier for anyone who + has access to the console. + +Enhanced network randomness +CONFIG_GRKERNSEC_RANDNET + If you say Y here, the functions controlling the randomness + of the Linux IP stack will be enhanced to decrease the chances + of being able to predict certain packets that require some + amount of randomness. + +Chroot jail restrictions +CONFIG_GRKERNSEC_CHROOT + If you say Y here, processes in a chrooted jail will be much more + difficult to break out of. It stops most generic ways of breaking + a chroot jail. Adding in chroot jail restrictions adds these + protective measures to the kernel: + No mknod() + No ptracing + No fchmod +s or chmod +s (usually used to create a rootshell) + No double chroots + Restricted signal sending to other processes + No mounting or remounting of devices + Enforced chdir("/") on all chroots + +Log all execs within a jail +CONFIG_GRKERNSEC_CHROOT_EXECLOG + If you say Y here, all executions inside a chroot jail will be logged to + syslog. + +Chroot jail capability restrictions +CONFIG_GRKERNSEC_CHROOT_CAPS + If you say Y here, the capabilities on all root processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, transferring capabilities, and + tty configuration tasks. This is left an option because it breaks + some apps (glftpd) Disable this if your chrooted apps are having + problems. + +Trusted path execution +CONFIG_GRKERNSEC_TPE + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." + These users will not be able to execute any files that are not in + root-owned directories writeable only by root. + +Partially restrict non-root users +CONFIG_GRKERNSEC_TPE_ALL + If you say Y here, All other non-root users will only be allowed to + execute files in directories they own that are not group or + world-writeable, or in directories owned by root and writeable only by + root. + +Trusted path execution glibc protection +CONFIG_GRKERNSEC_TPE_GLIBC + If you say Y here, all non-root users will not be able to execute + any files while glibc specific environment variables such as + LD_PRELOAD are set, which could be used to evade the trusted + path execution protection. It also protects against evasion + through /lib/ld-2.* It is recommended you say Y here also. + +Randomized PIDs +CONFIG_GRKERNSEC_RANDPID + If you say Y here, all PIDs created on the system will be + pseudo-randomly generated. This is extremely effective along + with the /proc restrictions to disallow an attacker from guessing + pids of daemons, etc. PIDs are also used in some cases as part + of a naming system for temporary files, so this option would keep + those filenames from being predicted as well. We also use code + to make sure that PID numbers aren't reused too soon. + +Randomized IP IDs +CONFIG_GRKERNSEC_RANDID + If you say Y here, all the id field on all outgoing packets + will be randomized. This hinders os fingerprinters and + keeps your machine from being used as a bounce for an untraceable + portscan. Ids are used for fragmented packets, fragments belonging + to the same packet have the same id. By default linux only + increments the id value on each packet sent to an individual host. + I've replaced the usage of all the other ip generation routines with + my own for speed. I generate random data for 64 packets at once and + distribute them as needed. I also keep track of the last 32 packets + so that we don't create two packets with the same ids too soon, + which would cause problems if the packets were fragmented and had + to be reassembled. + This option will make your system more OpenBSD-ish ;) + +Randomized TCP source ports +CONFIG_GRKERNSEC_RANDSRC + If you say Y here, situations where a source port is generated on the + fly for the TCP protocol (ie. with connect() ) will be altered so that + the source port is generated at random, instead of a simple incrementing + algorithm. + +Altered Ping IDs +CONFIG_GRKERNSEC_RANDPING + If you say Y here, the way Linux handles echo replies will be changed + so that the reply uses an ID equal to the ID of the echo request. + This will help in confusing OS detection. + +Randomized TTL +CONFIG_GRKERNSEC_RANDTTL + If you say Y here, your TTL (time to live) for packets will be set at + random, with a base level you specify, to further confuse OS detection. + The default base level for this option is set to the Linux default. + +Socket restrictions +CONFIG_GRKERNSEC_SOCKET + If you say Y here, you will be able to choose from several options. + If you assign a GID on your system and add it to the supplementary + groups of users you want to restrict socket access to, this patch + will do one of three things, based on the option(s) you choose. + Deny all socket access: keeps users from connecting to other hosts + from the machine or running servers from the machine + Deny all client sockets: keeps users from connecting to other machines + only + Deny all server sockets: keeps users from running servers on the machine + You should change the GID's from the default to what you have set up on + your system. + +Stealth network enhancements +CONFIG_GRKERNSEC_STEALTH + If you say Y here, you will enable several enhancements that will + improve your system's protection against portscans. + Enabling these options and filtering all open ports should make + your machine very hard to detect, while not interfering with (most) + normal operation. Enabling the UDP stealth options is known to slow + down SSH connection times, and may also interfere with other protocols + as well. All the stealth options break RFC, so there's always the + possibility that it might affect how certain network applications react + to your system. + +Sysctl support +CONFIG_GRKERNSEC_SYSCTL + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your + kernel. You can echo values to files in /proc/sys/kernel/grsecurity + to enable (1) or disable (0) various features. They can only be set + once per boot for security reasons. All features are enabled by default. + Please note that this option could reduce the effectiveness + of the added security of this patch if an ACL system is not put in + place. Your init scripts should be read-only, and root should not have + access to adding modules or performing raw i/o operations. All options + should be set at startup, so that they cannot be set again. *THIS IS + EXTREMELY IMPORTANT* + +Oblivion ACL System +CONFIG_OBV_PROC + If you say Y here, you enable the Access Control List system for + grsecurity called Oblivion. You will need to run obvadm setup + to set your password and create your config files. + # # ARM options # diff -urN linux/arch/alpha/config.in linux.grsec/arch/alpha/config.in --- linux/arch/alpha/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/alpha/config.in Sun Sep 30 01:54:18 2001 @@ -368,3 +368,12 @@ bool 'Legacy kernel start address' CONFIG_ALPHA_LEGACY_START_ADDRESS endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/arm/config.in linux.grsec/arch/arm/config.in --- linux/arch/arm/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/arm/config.in Sun Sep 30 01:54:18 2001 @@ -504,3 +504,12 @@ dep_bool ' Kernel low-level debugging messages via footbridge serial port' CONFIG_DEBUG_DC21285_PORT $CONFIG_DEBUG_LL $CONFIG_FOOTBRIDGE dep_bool ' kernel low-level debugging messages via UART2' CONFIG_DEBUG_CLPS711X_UART2 $CONFIG_DEBUG_LL $CONFIG_ARCH_CLPS711X endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/cris/config.in linux.grsec/arch/cris/config.in --- linux/arch/cris/config.in Wed Jul 4 20:50:38 2001 +++ linux.grsec/arch/cris/config.in Sun Sep 30 01:54:18 2001 @@ -240,3 +240,12 @@ int ' Profile shift count' CONFIG_PROFILE_SHIFT 2 fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/i386/config.in linux.grsec/arch/i386/config.in --- linux/arch/i386/config.in Sun Sep 30 01:30:59 2001 +++ linux.grsec/arch/i386/config.in Sun Sep 30 01:54:18 2001 @@ -405,3 +405,12 @@ fi bool 'Compile the kernel with frame pointers' CONFIG_FRAME_POINTER endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/i386/kernel/entry.S linux.grsec/arch/i386/kernel/entry.S --- linux/arch/i386/kernel/entry.S Sun Sep 30 01:30:54 2001 +++ linux.grsec/arch/i386/kernel/entry.S Sun Sep 30 01:54:18 2001 @@ -46,6 +46,7 @@ #include #define ASSEMBLY #include +#include EBX = 0x00 ECX = 0x04 @@ -410,8 +411,51 @@ #endif ENTRY(page_fault) +#ifdef CONFIG_GRKERNSEC_PAX + pushl $ SYMBOL_NAME(pax_do_page_fault) + pushl %ds + pushl %eax + xorl %eax,%eax + pushl %ebp + pushl %edi + pushl %esi + pushl %edx + decl %eax # eax = -1 + pushl %ecx + pushl %ebx + cld + movl %es,%ecx + movl ORIG_EAX(%esp), %esi # get the error code + movl ES(%esp), %edi # get the function address + movl %eax, ORIG_EAX(%esp) + movl %ecx, ES(%esp) + movl %esp,%edx + pushl %esi # push the error code + pushl %edx # push the pt_regs pointer + movl $(__KERNEL_DS),%edx + movl %edx,%ds + movl %edx,%es + GET_CURRENT(%ebx) + call *%edi + addl $8,%esp + decl %eax + jnz ret_from_exception + + popl %ebx + popl %ecx + popl %edx + popl %esi + popl %edi + popl %ebp + popl %eax + popl %ds + popl %es + addl $4,%esp + jmp system_call +#else pushl $ SYMBOL_NAME(do_page_fault) jmp error_code +#endif ENTRY(machine_check) pushl $0 diff -urN linux/arch/i386/kernel/head.S linux.grsec/arch/i386/kernel/head.S --- linux/arch/i386/kernel/head.S Wed Jun 20 20:00:53 2001 +++ linux.grsec/arch/i386/kernel/head.S Sun Sep 30 01:54:18 2001 @@ -433,7 +433,11 @@ .quad 0x0000000000000000 /* not used */ .quad 0x00cf9a000000ffff /* 0x10 kernel 4GB code at 0x00000000 */ .quad 0x00cf92000000ffff /* 0x18 kernel 4GB data at 0x00000000 */ +#ifdef CONFIG_GRKERNSEC_STACK + .quad 0x00cbfa000000f7ff /* 0x23 user 3GB-8MB code at 0 */ +#else .quad 0x00cffa000000ffff /* 0x23 user 4GB code at 0x00000000 */ +#endif .quad 0x00cff2000000ffff /* 0x2b user 4GB data at 0x00000000 */ .quad 0x0000000000000000 /* not used */ .quad 0x0000000000000000 /* not used */ diff -urN linux/arch/i386/kernel/process.c linux.grsec/arch/i386/kernel/process.c --- linux/arch/i386/kernel/process.c Sun Sep 30 01:30:54 2001 +++ linux.grsec/arch/i386/kernel/process.c Sun Sep 30 01:54:18 2001 @@ -50,6 +50,7 @@ #include + asmlinkage void ret_from_fork(void) __asm__("ret_from_fork"); int hlt_counter; @@ -736,7 +737,7 @@ { int error; char * filename; - + filename = getname((char *) regs.ebx); error = PTR_ERR(filename); if (IS_ERR(filename)) diff -urN linux/arch/i386/kernel/ptrace.c linux.grsec/arch/i386/kernel/ptrace.c --- linux/arch/i386/kernel/ptrace.c Fri Jul 20 21:39:55 2001 +++ linux.grsec/arch/i386/kernel/ptrace.c Sun Sep 30 01:54:18 2001 @@ -20,7 +20,10 @@ #include #include #include - +#ifdef CONFIG_GRKERNSEC_CHROOT +#include +extern struct task_struct *child_reaper; +#endif /* * does not yet catch signals sent when the child dies. * in exit.c or in signal.c. @@ -177,6 +180,29 @@ } if (child->p_pptr != current) goto out_tsk; + +#ifdef CONFIG_GRKERNSEC_CHROOT + if(grsec_enable_chroot && + !( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + security_alert("denied ptrace of process(%.16s:%d) within chroot() jail " + "(%.32s:%lu) by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), " + "UID (%d), EUID(%d)","ptrace from chroot()", + child->comm,child->pid,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + goto out_tsk; + } +#endif + + switch (request) { /* when I and D space are separate, these will need to be fixed. */ case PTRACE_PEEKTEXT: /* read word at location addr. */ diff -urN linux/arch/i386/kernel/signal.c linux.grsec/arch/i386/kernel/signal.c --- linux/arch/i386/kernel/signal.c Wed Jul 4 23:41:33 2001 +++ linux.grsec/arch/i386/kernel/signal.c Sun Sep 30 01:54:18 2001 @@ -7,6 +7,7 @@ * 2000-06-20 Pentium III FXSR, SSE support by Gareth Hughes */ +#include #include #include #include @@ -23,6 +24,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif + #define DEBUG_SIG 0 #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP))) @@ -420,11 +425,15 @@ if (ka->sa.sa_flags & SA_RESTORER) { err |= __put_user(ka->sa.sa_restorer, &frame->pretcode); } else { +#ifdef CONFIG_GRKERNSEC_STACK + err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode); +#else err |= __put_user(frame->retcode, &frame->pretcode); /* This is popl %eax ; movl $,%eax ; int $0x80 */ err |= __put_user(0xb858, (short *)(frame->retcode+0)); err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2)); err |= __put_user(0x80cd, (short *)(frame->retcode+6)); +#endif } if (err) @@ -495,11 +504,15 @@ if (ka->sa.sa_flags & SA_RESTORER) { err |= __put_user(ka->sa.sa_restorer, &frame->pretcode); } else { +#ifdef CONFIG_GRKERNSEC_STACK + err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode); +#else err |= __put_user(frame->retcode, &frame->pretcode); /* This is movl $,%eax ; int $0x80 */ err |= __put_user(0xb8, (char *)(frame->retcode+0)); err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1)); err |= __put_user(0x80cd, (short *)(frame->retcode+5)); +#endif } if (err) @@ -556,6 +569,18 @@ regs->eip -= 2; } } + +#ifdef CONFIG_GRKERNSEC_PAX + /* PaX: clean up as our trace attempt became obsolete */ + if ((current->flags & PF_PAX_PAGEEXEC) && (current->ptrace & PT_PAX_TRACE)) { + if (!(current->ptrace & PT_PAX_OLDTF)) { + regs->eflags &= ~TF_MASK; + } + current->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + current->thread.pax_faults.eip = 0; + current->thread.pax_faults.count = 0; + } +#endif /* Set up the stack frame */ if (ka->sa.sa_flags & SA_SIGINFO) diff -urN linux/arch/i386/kernel/traps.c linux.grsec/arch/i386/kernel/traps.c --- linux/arch/i386/kernel/traps.c Sun Sep 30 01:30:54 2001 +++ linux.grsec/arch/i386/kernel/traps.c Sun Sep 30 01:54:18 2001 @@ -52,6 +52,10 @@ #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif + asmlinkage int system_call(void); #if defined(CONFIG_KDB) asmlinkage int kdb_call(void); @@ -489,15 +493,185 @@ DO_ERROR(11, SIGBUS, "segment not present", segment_not_present) DO_ERROR(12, SIGBUS, "stack segment", stack_segment) DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2()) - +#if defined(CONFIG_GRKERNSEC_STACK) && defined(CONFIG_GRKERNSEC_STACK_GCC) +static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum) +{ + switch (regnum) { + case 0: return ®s->eax; + case 1: return ®s->ecx; + case 2: return ®s->edx; + case 3: return ®s->ebx; + case 4: return ®s->esp; + case 5: return ®s->ebp; + case 6: return ®s->esi; + case 7: return ®s->edi; + } + return NULL; +} +static unsigned long get_modrm(struct pt_regs *regs, int *err) +{ + unsigned char modrm, sib; + signed char rel8; + unsigned long rel32; + int size, regnum, scale; + unsigned long index, base, addr, value; + + *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1)); + size = 2; + regnum = modrm & 7; + addr = *get_reg(regs, regnum); + if (regnum == 4 && (modrm & 0xC0) != 0xC0) { + *err |= __get_user(sib, (unsigned char *)(regs->eip + 2)); + size = 3; + scale = sib >> 6; + index = *get_reg(regs, (sib >> 3) & 7); + base = *get_reg(regs, sib & 7); + addr = base + (index << scale); + } + + switch (modrm & 0xC0) { + case 0x00: + if (regnum == 5) { + *err |= __get_user(addr, + (unsigned long *)(regs->eip + 2)); + size = 6; + } + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0x40: + *err |= __get_user(rel8, (signed char *)(regs->eip + size)); + size++; + addr += rel8; + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0x80: + *err |= __get_user(rel32, (unsigned long *)(regs->eip + size)); + size += 4; + addr += rel32; + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0xC0: + default: + value = addr; + } + + if (*err) return 0; + regs->eip += size; + return value; +} +#endif asmlinkage void do_general_protection(struct pt_regs * regs, long error_code) { +#ifdef CONFIG_GRKERNSEC_STACK + unsigned long addr; +#ifdef CONFIG_GRKERNSEC_STACK_GCC + unsigned char insn; + int err, count; +#endif +#endif if (regs->eflags & VM_MASK) goto gp_in_vm86; if (!(regs->xcs & 3)) goto gp_in_kernel; - +#ifdef CONFIG_GRKERNSEC_STACK +/* Check if it was return from a signal handler */ + if ((regs->xcs & 0xFFFF) == __USER_CS) + if (*(unsigned char *)regs->eip == 0xC3) + if (!__get_user(addr, (unsigned long *)regs->esp)) { + if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) { +/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */ + regs->esp += 8; + __asm__("movl %3,%%esi\n\t" + "subl %1,%%esp\n\t" + "movl %2,%%ecx\n\t" + "movl %%esp,%%edi\n\t" + "rep; movsl\n\t" + "testl $1,%4\n\t" + "jnz 1f\n\t" + "call sys_sigreturn\n\t" + "leal %3,%%edi\n\t" + "jmp 2f\n\t" + "1:\n\t" + "call sys_rt_sigreturn\n\t" + "leal %3,%%edi\n\t" + "2:\n\t" + "addl %1,%%edi\n\t" + "movl %%esp,%%esi\n\t" + "movl %2,%%ecx\n\t" + "movl (%%edi),%%edi\n\t" + "rep; movsl\n\t" + "movl %%esi,%%esp" + : +/* %eax is returned separately */ + "=a" (regs->eax) + : + "i" (sizeof(*regs)), + "i" (sizeof(*regs) >> 2), + "m" (regs), + "r" (addr) + : + "cx", "dx", "si", "di", "cc", "memory"); + return; + } +/* + * * Check if we're returning to the stack area, which is only likely to happen + * * when attempting to exploit a buffer overflow. + * */ + if ((addr & 0xFF800000) == 0xBF800000 || + (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)) + security_alert("return onto stack by (%.16s:%d), UID(%d), EUID (%d), parent (%.16s:%d), UID(%d), EUID (%d)", + "returns onto stack", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + } + +#ifdef CONFIG_GRKERNSEC_STACK_GCC +/* Check if it could have been a trampoline call */ + if ((regs->xcs & 0xFFFF) == __USER_CS) + if (*(unsigned char *)regs->eip == 0xFF) + if (!__get_user(insn, (unsigned char *)(regs->eip + 1))) + if ((insn & 0x38) == 0x10 && insn != 0xD4) { /* call mod r/m */ +/* First, emulate the call */ + err = 0; + addr = get_modrm(regs, &err); + if (!err) { + regs->esp -= 4; + err = __put_user(regs->eip, (unsigned long *)regs->esp); + regs->eip = addr; + } +/* Then, start emulating the trampoline itself */ + count = 0; + while (!err && !__get_user(insn, (unsigned char *)regs->eip++)) + if ((insn & 0xF8) == 0xB8) { /* movl imm32,%reg */ +/* We only have 8 GP registers, no reason to initialize one twice */ + if (count++ >= 8) break; + err |= __get_user(addr, (unsigned long *)regs->eip); + regs->eip += 4; + *get_reg(regs, insn & 7) = addr; + } else + if (insn == 0xFF) { + err |= __get_user(insn, (unsigned char *)regs->eip); + if ((insn & 0xF8) == 0xE0) { /* jmp *%reg */ + regs->eip = *get_reg(regs, insn & 7); + if (err) break; else return; + } + break; + } else + if (insn == 0xE9) { /* jmp rel32 */ + err |= __get_user(addr, (unsigned long *)regs->eip); + if (err) break; + regs->eip += 4 + addr; + return; + } else + break; + } +#endif +#endif current->thread.error_code = error_code; current->thread.trap_no = 13; force_sig(SIGSEGV, current); @@ -720,6 +894,10 @@ inb(0x71); /* dummy */ } +#ifdef CONFIG_GRKERNSEC_PAX +void pax_handle_ptes(struct task_struct *tsk); +#endif + /* * Our handling of the processor debug registers is non-trivial. * We do not clear them on entry and exit from the kernel. Therefore @@ -759,6 +937,23 @@ return; #endif +#ifdef CONFIG_GRKERNSEC_PAX + /* PaX: clean up */ + /* PaX: clean up */ + if ((tsk->flags & PF_PAX_PAGEEXEC) && (condition & DR_STEP) && (tsk->ptrace & PT_PAX_TRACE)) { + tsk->ptrace &= ~PT_PAX_TRACE; + pax_handle_ptes(tsk); + if (!(tsk->ptrace & PT_PAX_KEEPTF) && !(tsk->ptrace & PT_PAX_OLDTF)) + regs->eflags &= ~TF_MASK; + tsk->ptrace &= ~PT_PAX_KEEPTF; + if (!(tsk->ptrace & PT_PAX_OLDTF)) { + condition &= ~DR_STEP; + if (!(condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3))) + return; + } + tsk->ptrace &= ~PT_PAX_OLDTF; + } +#endif /* Mask out spurious debug traps due to lazy DR7 setting */ if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) { if (!tsk->thread.debugreg[7]) diff -urN linux/arch/i386/mm/fault.c linux.grsec/arch/i386/mm/fault.c --- linux/arch/i386/mm/fault.c Tue May 15 09:16:51 2001 +++ linux.grsec/arch/i386/mm/fault.c Sun Sep 30 01:55:48 2001 @@ -4,6 +4,7 @@ * Copyright (C) 1995 Linus Torvalds */ +#include #include #include #include @@ -17,6 +18,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_PAX +#include +#endif #include #include @@ -103,23 +107,31 @@ * bit 1 == 0 means read, 1 means write * bit 2 == 0 means kernel, 1 means user-mode */ +#ifdef CONFIG_GRKERNSEC_PAX +asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address) +#else asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code) +#endif { struct task_struct *tsk; struct mm_struct *mm; struct vm_area_struct * vma; +#ifndef CONFIG_GRKERNSEC_PAX unsigned long address; +#endif unsigned long page; unsigned long fixup; int write; siginfo_t info; +#ifndef CONFIG_GRKERNSEC_PAX /* get the address */ __asm__("movl %%cr2,%0":"=r" (address)); /* It's safe to allow irq's after cr2 has been saved */ if (regs->eflags & X86_EFLAGS_IF) local_irq_enable(); +#endif tsk = current; @@ -177,21 +189,37 @@ good_area: info.si_code = SEGV_ACCERR; write = 0; +#ifdef CONFIG_GRKERNSEC_PAX + switch (error_code & 7) { +#else switch (error_code & 3) { +#endif default: /* 3: write, present */ #ifdef TEST_VERIFY_AREA if (regs->cs == KERNEL_CS) printk("WP fault at %08lx\n", regs->eip); #endif /* fall through */ +#ifdef CONFIG_GRKERNSEC_PAX + case 7: /* PaX: write, present, some protection violation */ +#endif case 2: /* write, not present */ +#ifdef CONFIG_GRKERNSEC_PAX + case 6: +#endif if (!(vma->vm_flags & VM_WRITE)) goto bad_area; write++; break; case 1: /* read, present */ goto bad_area; +#ifdef CONFIG_GRKERNSEC_PAX + case 5: /* PaX: read, present, protection violation */ +#endif case 0: /* read, not present */ +#ifdef CONFIG_GRKERNSEC_PAX + case 4: +#endif if (!(vma->vm_flags & (VM_READ | VM_EXEC))) goto bad_area; } @@ -358,3 +386,440 @@ return; } } +#ifdef CONFIG_GRKERNSEC_PAX +/* PaX: called with the page_table_lock spinlock held */ +static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address) +{ + pgd_t *pgd; + pmd_t *pmd; + + pgd = pgd_offset(mm, address); + if (!pgd || !pgd_present(*pgd)) + return 0; + pmd = pmd_offset(pgd, address); + if (!pmd || !pmd_present(*pmd)) + return 0; + return pte_offset(pmd, address); +} + +/* + * PaX: decide what to do with offenders + * + * returns 0 when access should be allowed + * 1 when task should be killed + * 2 when sigreturn trampoline was detected + * 3 when rt_sigreturn trampoline was detected + * 4 when gcc trampoline was detected + */ +static int pax_handle_read_fault(struct pt_regs *regs, unsigned long address) +{ + static unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4}; + int err; + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; + { /* PaX: sigreturn emulation */ + unsigned char pop, mov; + unsigned short sys; + unsigned long nr; + + err = __get_user(pop, (unsigned char *)(regs->eip)); + err |= __get_user(mov, (unsigned char *)(regs->eip + 1)); + err |= __get_user(nr, (unsigned long *)(regs->eip + 2)); + err |= __get_user(sys, (unsigned short *)(regs->eip + 6)); + + if (!err) { + if (pop == 0x58 && + mov == 0xb8 && + nr == __NR_sigreturn && + sys == 0x80cd) + { + regs->esp += 4; + regs->eax = nr; + regs->eip += 8; + return 2; + } + } + } + + { /* PaX: rt_sigreturn emulation */ + unsigned char mov; + unsigned short sys; + unsigned long nr; + + err = __get_user(mov, (unsigned char *)(regs->eip)); + err |= __get_user(nr, (unsigned long *)(regs->eip + 1)); + err |= __get_user(sys, (unsigned short *)(regs->eip + 5)); + + if (!err) { + if (mov == 0xb8 && + nr == __NR_rt_sigreturn && + sys == 0x80cd) + { + regs->eax = nr; + regs->eip += 7; + return 3; + } + } + } + + { /* PaX: gcc trampoline emulation #1 */ + unsigned char mov1, mov2; + unsigned short jmp; + unsigned long addr1, addr2, ret; + + err = __get_user(mov1, (unsigned char *)(regs->eip)); + err |= __get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= __get_user(mov2, (unsigned char *)(regs->eip + 5)); + err |= __get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= __get_user(jmp, (unsigned short *)(regs->eip + 10)); + err |= __get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = __get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov1 & 0xF8) == 0xB8 && + (mov2 & 0xF8) == 0xB8 && + (mov1 & 0x07) != (mov2 & 0x07) && + (jmp & 0xF8FF) == 0xE0FF && + (mov2 & 0x07) == ((jmp>>8) & 0x07) && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1; + ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2; + regs->eip = addr2; + return 4; + } + } + } + } + + { /* PaX: gcc trampoline emulation #2 */ + unsigned char mov, jmp; + unsigned long addr1, addr2, ret; + + err = __get_user(mov, (unsigned char *)(regs->eip)); + err |= __get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= __get_user(jmp, (unsigned char *)(regs->eip + 5)); + err |= __get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= __get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = __get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov & 0xF8) == 0xB8 && + jmp == 0xE9 && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov & 0x07]] = addr1; + regs->eip += addr2 + 10; + return 4; + } + } + } + } +#endif + + return 1; /* PaX in action */ +} + +static int pax_handle_opcode(struct task_struct *tsk, struct pt_regs *regs) +{ + unsigned long opsize = 1; + unsigned long opsize_override = 0; + unsigned long i; + + if (regs->eflags & TF_MASK) + tsk->ptrace |= PT_PAX_OLDTF; + else + tsk->ptrace &= ~PT_PAX_OLDTF; + tsk->ptrace &= ~PT_PAX_KEEPTF; + + for (i=0; i<15; i++) { + unsigned char opcode; + if (__get_user(opcode, (unsigned char*)(regs->eip+i))) + break; + switch (opcode) { + case 0x26: + case 0x2E: + case 0x36: + case 0x3E: + case 0x64: + case 0x65: + case 0x67: + case 0xF0: + case 0xF2: + case 0xF3: + break; + + case 0x66: + opsize_override = 1; + break; + + case 0x9C: /* PUSHF */ + if (opsize ^ opsize_override) { + __put_user(regs->eflags & 0x00FCFFFFul, (unsigned long*)(regs->esp-4)); + regs->esp -= 4; + } else { + __put_user(regs->eflags, (unsigned short*)(regs->esp-2)); + regs->esp -= 2; + } + regs->eip += i + 1; + return 1; + + case 0x9D: /* POPF */ + case 0xCF: /* IRET */ + tsk->ptrace |= PT_PAX_KEEPTF; + return 0; + + default: + return 0; + } + } + return 0; +} + +static inline void pax_handle_pte(struct mm_struct *mm, unsigned long address) +{ + pte_t *pte; + pte = pax_get_pte(mm, address); + if (pte) { + set_pte(pte, pte_exprotect(*pte)); + __flush_tlb_one(address); + } +} + +#define PAX_SPIN_COUNT 256 + +void pax_handle_ptes(struct task_struct *tsk) +{ + struct mm_struct *mm; + + mm = tsk->mm; + spin_lock(&mm->page_table_lock); + switch (tsk->thread.pax_faults.count) { + default: + printk(KERN_ERR "PAX: wtf: %s:%d, %ld\n", tsk->comm, tsk->pid, tsk->thread.pax_faults.count); + break; + + case PAX_SPIN_COUNT+4: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[3]); + + case PAX_SPIN_COUNT+3: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[2]); + + case PAX_SPIN_COUNT+2: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[1]); + + case PAX_SPIN_COUNT+1: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[0]); + } + spin_unlock(&mm->page_table_lock); + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; +} + +/* + * PaX: handle the extra page faults or pass it down to the original handler + * + * returns 0 when nothing special was detected + * 1 when sigreturn trampoline (syscall) has to be emulated + */ +asmlinkage int pax_do_page_fault(struct pt_regs *regs, unsigned long error_code) +{ + struct task_struct *tsk = current; + struct mm_struct *mm = current->mm; + unsigned long address; + pte_t *pte; + unsigned char pte_mask = _PAGE_ACCESSED | _PAGE_USER; + int ret; + unsigned long i; + + __asm__("movl %%cr2,%0":"=r" (address)); + + /* It's safe to allow irq's after cr2 has been saved */ + if (regs->eflags & X86_EFLAGS_IF) + local_irq_enable(); + + if ((error_code & 5) != 5 || address >= TASK_SIZE || regs->xcs != __USER_CS || (VM_MASK & regs->eflags)) + goto chain; + + /* PaX: it's our fault, let's handle it if we can */ + + if (error_code == 7) { + pte_mask |= _PAGE_DIRTY; + /* PaX: take a look at read faults before acquiring any locks */ + } else if (regs->eip == address) { /* read/instruction fetch attempt from a protected page in user mode */ + ret = pax_handle_read_fault(regs, address); + switch (ret) { + case 4: + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + return 0; + + case 3: + case 2: + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + return 1; + + default: + case 1: { + char* buffer = (char*)__get_free_page(GFP_KERNEL); + char* path=NULL; + + if (buffer) { + struct vm_area_struct* vma; + + down_read(&mm->mmap_sem); + vma = mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { + break; + } + vma = vma->vm_next; + } + if (vma) + path = d_path(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt, buffer, PAGE_SIZE); + up_read(&mm->mmap_sem); + } + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, EIP: %08lX, ESP: %08lX\n", path, tsk->comm, tsk->pid, regs->eip, regs->esp); + if (buffer) free_page((unsigned long)buffer); + printk(KERN_ERR "PAX: bytes at EIP: "); + for (i = 0; i < 20; i++) { + unsigned char c; + if (__get_user(c, (unsigned char*)(regs->eip+i))) { + printk("."); + break; + } + printk("%02x ", c); + } + printk("\n"); + + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + regs->eflags &= ~TF_MASK; + tsk->thread.cr2 = address; + tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; + force_sig(SIGKILL,tsk); + return 0; + } + + case 0: + } + } + + spin_lock(&mm->page_table_lock); + pte = pax_get_pte(mm, address); + if (!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte)) { + spin_unlock(&mm->page_table_lock); + goto chain; + } + + if ((error_code == 7) && !pte_write(*pte)) { /* write attempt to a protected page in user mode */ + spin_unlock(&mm->page_table_lock); + goto chain; + } + + /* + * PaX: fill DTLB with user rights and retry + */ + if (regs->eip != tsk->thread.pax_faults.eip) { /* detect DTLB trashing */ + tsk->thread.pax_faults.eip = regs->eip; + tsk->thread.pax_faults.count = 0; + +pax_emu: + __asm__ __volatile__ ( + "orb %2,%1\n" + "invlpg %0\n" + "testb $0,%0\n" + "xorb %3,%1\n" + : + : "m" (*(char*)address), "m" (*(char*)pte) , "r" (pte_mask) , "i" (_PAGE_USER) + : "memory", "cc"); + spin_unlock(&mm->page_table_lock); + return 0; + } + + if (tsk->thread.pax_faults.count < PAX_SPIN_COUNT) { + ++tsk->thread.pax_faults.count; + goto pax_emu; + } + spin_unlock(&mm->page_table_lock); + + if (tsk->thread.pax_faults.count == PAX_SPIN_COUNT) { + if (pax_handle_opcode(tsk, regs)) { + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + return 0; + } else { + ++tsk->thread.pax_faults.count; + } + } + + if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+3) { + printk(KERN_ERR "PAX: preventing DoS: %s:%d, EIP: %08lX, ESP: %08lX\n", tsk->comm, tsk->pid, regs->eip, regs->esp); + printk(KERN_ERR "PAX: bytes at EIP: "); + for (i = 0; i < 20; i++) { + unsigned char c; + if (__get_user(c, (unsigned char*)(regs->eip+i))) { + printk("."); + break; + } + printk("%02x ", c); + } + printk("\n"); + + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + regs->eflags &= ~TF_MASK; + tsk->thread.cr2 = address; + tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; + force_sig(SIGKILL,tsk); + return 0; + } + + spin_lock(&mm->page_table_lock); + pte = pax_get_pte(mm, address); + if (pte) { + set_pte(pte, pte_mkexec(*pte)); + __flush_tlb_one(address); + tsk->thread.pax_faults.addresses[tsk->thread.pax_faults.count-PAX_SPIN_COUNT-1] = address; + ++tsk->thread.pax_faults.count; + } + spin_unlock(&mm->page_table_lock); + tsk->ptrace |= PT_PAX_TRACE; + regs->eflags |= TF_MASK; + +#if 0 + if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+1) { + printk(KERN_ERR "PAX: DTLB trashing, level %ld: %s:%d," + "EIP: %08lX, ESP: %08lX, cr2: %08lX\n", + tsk->thread.pax_faults.count - (PAX_SPIN_COUNT+1), + tsk->comm, tsk->pid, regs->eip, regs->esp, address); + printk(KERN_ERR "PAX: DTLB trashing, %08lX, %08lX, %08lX\n", + tsk->thread.pax_faults.addresses[0], + tsk->thread.pax_faults.addresses[1], + tsk->thread.pax_faults.addresses[2]); + } +#endif + return 0; + +chain: + do_page_fault(regs, error_code, address); + return 0; +} +#endif + diff -urN linux/arch/i386/mm/init.c linux.grsec/arch/i386/mm/init.c --- linux/arch/i386/mm/init.c Sat Apr 21 01:15:20 2001 +++ linux.grsec/arch/i386/mm/init.c Sun Sep 30 01:54:18 2001 @@ -397,7 +397,11 @@ pmd = pmd_offset(pgd, vaddr); pte = pte_offset(pmd, vaddr); old_pte = *pte; +#ifdef CONFIG_GRKERNSEC_PAX + *pte = mk_pte_phys(0, PAGE_READONLY_EXEC); +#else *pte = mk_pte_phys(0, PAGE_READONLY); +#endif local_flush_tlb(); boot_cpu_data.wp_works_ok = do_test_wp_bit(vaddr); diff -urN linux/arch/ia64/config.in linux.grsec/arch/ia64/config.in --- linux/arch/ia64/config.in Wed Apr 18 02:19:24 2001 +++ linux.grsec/arch/ia64/config.in Sun Sep 30 01:54:18 2001 @@ -281,3 +281,12 @@ bool 'Disable VHPT' CONFIG_DISABLE_VHPT endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/m68k/config.in linux.grsec/arch/m68k/config.in --- linux/arch/m68k/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/m68k/config.in Sun Sep 30 01:54:18 2001 @@ -548,3 +548,12 @@ #bool 'Debug kmalloc/kfree' CONFIG_DEBUG_MALLOC bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/mips/config.in linux.grsec/arch/mips/config.in --- linux/arch/mips/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/mips/config.in Sun Sep 30 01:54:18 2001 @@ -509,3 +509,12 @@ bool 'Run uncached' CONFIG_MIPS_UNCACHED fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/mips64/config.in linux.grsec/arch/mips64/config.in --- linux/arch/mips64/config.in Wed Jul 4 20:50:39 2001 +++ linux.grsec/arch/mips64/config.in Sun Sep 30 01:54:18 2001 @@ -274,3 +274,12 @@ bool 'Run uncached' CONFIG_MIPS_UNCACHED fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/parisc/config.in linux.grsec/arch/parisc/config.in --- linux/arch/parisc/config.in Wed Apr 18 02:19:25 2001 +++ linux.grsec/arch/parisc/config.in Sun Sep 30 01:54:18 2001 @@ -208,3 +208,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/ppc/config.in linux.grsec/arch/ppc/config.in --- linux/arch/ppc/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/ppc/config.in Sun Sep 30 01:54:18 2001 @@ -379,3 +379,12 @@ bool 'Include kgdb kernel debugger' CONFIG_KGDB bool 'Include xmon kernel debugger' CONFIG_XMON endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/s390/config.in linux.grsec/arch/s390/config.in --- linux/arch/s390/config.in Wed Apr 18 02:19:25 2001 +++ linux.grsec/arch/s390/config.in Sun Sep 30 01:54:19 2001 @@ -70,3 +70,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/s390x/config.in linux.grsec/arch/s390x/config.in --- linux/arch/s390x/config.in Wed Apr 18 02:19:25 2001 +++ linux.grsec/arch/s390x/config.in Sun Sep 30 01:54:19 2001 @@ -74,3 +74,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sh/config.in linux.grsec/arch/sh/config.in --- linux/arch/sh/config.in Wed Jun 27 22:55:29 2001 +++ linux.grsec/arch/sh/config.in Sun Sep 30 01:54:19 2001 @@ -326,3 +326,12 @@ bool 'Early printk support' CONFIG_SH_EARLY_PRINTK fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sparc/config.in linux.grsec/arch/sparc/config.in --- linux/arch/sparc/config.in Sun Sep 30 01:30:52 2001 +++ linux.grsec/arch/sparc/config.in Sun Sep 30 01:54:19 2001 @@ -274,3 +274,12 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sparc64/config.in linux.grsec/arch/sparc64/config.in --- linux/arch/sparc64/config.in Sun Sep 30 01:30:50 2001 +++ linux.grsec/arch/sparc64/config.in Sun Sep 30 01:54:19 2001 @@ -289,3 +289,12 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ #bool 'ECache flush trap support at ta 0x72' CONFIG_EC_FLUSH_TRAP endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/drivers/char/mem.c linux.grsec/drivers/char/mem.c --- linux/drivers/char/mem.c Wed Jul 11 01:07:46 2001 +++ linux.grsec/drivers/char/mem.c Sun Sep 30 01:54:19 2001 @@ -205,9 +205,20 @@ /* * Don't dump addresses that are not real memory to a core file. */ +#ifdef CONFIG_GRKERNSEC_PAX + if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) { +#else if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) +#endif vma->vm_flags |= VM_IO; - +#ifdef CONFIG_GRKERNSEC_PAX + /* it turned out to be device memory (eg. video RAM), don't apply PaX */ + if (!(vma->vm_flags & VM_EXEC)) { + vma->vm_flags |= VM_EXEC | VM_MAYEXEC; + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f]; + } + } +#endif if (remap_page_range(vma->vm_start, offset, vma->vm_end-vma->vm_start, vma->vm_page_prot)) return -EAGAIN; @@ -368,8 +379,11 @@ count = size; zap_page_range(mm, addr, count); +#ifdef CONFIG_GRKERNSEC_PAX + zeromap_page_range(addr, count, vma->vm_page_prot); +#else zeromap_page_range(addr, count, PAGE_COPY); - +#endif size -= count; buf += count; addr += count; diff -urN linux/drivers/char/random.c linux.grsec/drivers/char/random.c --- linux/drivers/char/random.c Mon Jul 2 22:56:41 2001 +++ linux.grsec/drivers/char/random.c Sun Sep 30 01:54:19 2001 @@ -253,6 +253,12 @@ /* * Configuration information */ +#ifdef CONFIG_GRKERNSEC_RANDNET +#include +#define DEFAULT_POOL_SIZE_RANDNET 4096 +#define SECONDARY_POOL_SIZE_RANDNET 1024 +#define BATCH_ENTROPY_SIZE_RANDNET 2048 +#endif #define DEFAULT_POOL_SIZE 512 #define SECONDARY_POOL_SIZE 128 #define BATCH_ENTROPY_SIZE 256 @@ -380,8 +386,13 @@ /* * Static global variables */ +#ifdef CONFIG_GRKERNSEC_RANDPID +struct entropy_store *random_state; /* The default global store */ +struct entropy_store *sec_random_state; /* secondary store */ +#else static struct entropy_store *random_state; /* The default global store */ static struct entropy_store *sec_random_state; /* secondary store */ +#endif static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); static DECLARE_WAIT_QUEUE_HEAD(random_write_wait); @@ -1383,11 +1394,23 @@ { int i; - if (create_entropy_store(DEFAULT_POOL_SIZE, &random_state)) + if (create_entropy_store( +#ifdef CONFIG_GRKERNSEC_RANDNET + grsec_enable_randnet?DEFAULT_POOL_SIZE_RANDNET: +#endif + DEFAULT_POOL_SIZE, &random_state)) return; /* Error, return */ - if (batch_entropy_init(BATCH_ENTROPY_SIZE, random_state)) + if (batch_entropy_init( +#ifdef CONFIG_GRKERNSEC_RANDNET + grsec_enable_randnet?BATCH_ENTROPY_SIZE_RANDNET: +#endif + BATCH_ENTROPY_SIZE, random_state)) return; /* Error, return */ - if (create_entropy_store(SECONDARY_POOL_SIZE, &sec_random_state)) + if (create_entropy_store( +#ifdef CONFIG_GRKERNSEC_RANDNET + grsec_enable_randnet?SECONDARY_POOL_SIZE_RANDNET: +#endif + SECONDARY_POOL_SIZE, &sec_random_state)) return; /* Error, return */ clear_entropy_store(random_state); clear_entropy_store(sec_random_state); diff -urN linux/drivers/char/vt.c linux.grsec/drivers/char/vt.c --- linux/drivers/char/vt.c Fri Feb 9 20:30:22 2001 +++ linux.grsec/drivers/char/vt.c Sun Sep 30 01:54:19 2001 @@ -40,6 +40,10 @@ #include #endif /* CONFIG_FB_COMPAT_XPMAC */ +#ifdef CONFIG_GRKERNSEC_KBMAP +#include +#endif + char vt_dont_switch; extern struct tty_driver console_driver; @@ -174,7 +178,11 @@ val = (i ? K_HOLE : K_NOSUCHMAP); return put_user(val, &user_kbe->kb_value); case KDSKBENT: +#ifdef CONFIG_GRKERNSEC_KBMAP + if (!perm || (grsec_enable_kbmap && !suser())) +#else if (!perm) +#endif return -EPERM; if (!i && v == K_NOSUCHMAP) { /* disallocate map */ @@ -293,7 +301,11 @@ put_user('\0', q); return ((p && *p) ? -EOVERFLOW : 0); case KDSKBSENT: +#ifdef CONFIG_GRKERNSEC_KBMAP + if (!perm || (grsec_enable_kbmap && !suser())) +#else if (!perm) +#endif return -EPERM; q = func_table[i]; diff -urN linux/drivers/ieee1394/video1394.c linux.grsec/drivers/ieee1394/video1394.c --- linux/drivers/ieee1394/video1394.c Fri Jul 20 02:48:16 2001 +++ linux.grsec/drivers/ieee1394/video1394.c Sun Sep 30 01:54:19 2001 @@ -794,7 +794,11 @@ pos=(unsigned long) d->buf; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start+=PAGE_SIZE; pos+=PAGE_SIZE; diff -urN linux/drivers/media/video/bttv-driver.c linux.grsec/drivers/media/video/bttv-driver.c --- linux/drivers/media/video/bttv-driver.c Tue Jul 17 00:13:32 2001 +++ linux.grsec/drivers/media/video/bttv-driver.c Sun Sep 30 01:54:19 2001 @@ -2037,7 +2037,11 @@ pos=(unsigned long) btv->fbuffer; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start+=PAGE_SIZE; pos+=PAGE_SIZE; diff -urN linux/drivers/media/video/cpia.c linux.grsec/drivers/media/video/cpia.c --- linux/drivers/media/video/cpia.c Sun May 20 02:43:06 2001 +++ linux.grsec/drivers/media/video/cpia.c Sun Sep 30 01:54:19 2001 @@ -3004,7 +3004,11 @@ pos = (unsigned long)(cam->frame_buf); while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&cam->busy_lock); return -EAGAIN; } diff -urN linux/drivers/media/video/meye.c linux.grsec/drivers/media/video/meye.c --- linux/drivers/media/video/meye.c Wed Jul 4 23:41:33 2001 +++ linux.grsec/drivers/media/video/meye.c Sun Sep 30 01:54:19 2001 @@ -1267,7 +1267,11 @@ while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&meye.lock); return -EAGAIN; } diff -urN linux/drivers/media/video/planb.c linux.grsec/drivers/media/video/planb.c --- linux/drivers/media/video/planb.c Thu Jun 28 02:10:55 2001 +++ linux.grsec/drivers/media/video/planb.c Sun Sep 30 01:54:19 2001 @@ -2001,7 +2001,11 @@ } for (i = 0; i < pb->rawbuf_size; i++) { if (remap_page_range(start, virt_to_phys((void *)pb->rawbuf[i]), +#ifdef CONFIG_GRKERNSEC_PAX + PAGE_SIZE, PAGE_SHARED_EXEC)) +#else PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; if (size <= PAGE_SIZE) diff -urN linux/drivers/media/video/zr36067.c linux.grsec/drivers/media/video/zr36067.c --- linux/drivers/media/video/zr36067.c Wed Jul 4 23:41:33 2001 +++ linux.grsec/drivers/media/video/zr36067.c Sun Sep 30 01:54:19 2001 @@ -4312,7 +4312,11 @@ frag_tab[2 * j]; page = virt_to_phys(bus_to_virt(pos)); /* should just be pos on i386 */ if (remap_page_range +#ifdef CONFIG_GRKERNSEC_PAX + (start, page, todo, PAGE_SHARED_EXEC)) { +#else (start, page, todo, PAGE_SHARED)) { +#endif printk(KERN_ERR "%s: zoran_mmap(V4L): remap_page_range failed\n", zr->name); @@ -4353,7 +4357,11 @@ ("V4L remap page range %d 0x%lx %ld to 0x%lx\n", i, page, todo, start)); if (remap_page_range +#ifdef CONFIG_GRKERNSEC_PAX + (start, page, todo, PAGE_SHARED_EXEC)) { +#else (start, page, todo, PAGE_SHARED)) { +#endif printk(KERN_ERR "%s: zoran_mmap(V4L): remap_page_range failed\n", zr->name); diff -urN linux/drivers/media/video/zr36120.c linux.grsec/drivers/media/video/zr36120.c --- linux/drivers/media/video/zr36120.c Tue Jul 17 00:13:32 2001 +++ linux.grsec/drivers/media/video/zr36120.c Sun Sep 30 01:54:19 2001 @@ -1475,7 +1475,11 @@ pos = (unsigned long)ztv->fbuffer; while (size>0) { unsigned long page = virt_to_phys((void*)pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; pos += PAGE_SIZE; diff -urN linux/drivers/usb/ibmcam.c linux.grsec/drivers/usb/ibmcam.c --- linux/drivers/usb/ibmcam.c Wed Jun 13 00:53:37 2001 +++ linux.grsec/drivers/usb/ibmcam.c Sun Sep 30 01:54:19 2001 @@ -2841,7 +2841,11 @@ pos = (unsigned long)ibmcam->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; diff -urN linux/drivers/usb/ov511.c linux.grsec/drivers/usb/ov511.c --- linux/drivers/usb/ov511.c Tue Jul 17 00:13:32 2001 +++ linux.grsec/drivers/usb/ov511.c Sun Sep 30 01:54:19 2001 @@ -2756,7 +2756,11 @@ pos = (unsigned long)ov511->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; pos += PAGE_SIZE; diff -urN linux/drivers/usb/pwc-if.c linux.grsec/drivers/usb/pwc-if.c --- linux/drivers/usb/pwc-if.c Thu Jun 21 02:42:09 2001 +++ linux.grsec/drivers/usb/pwc-if.c Sun Sep 30 01:54:19 2001 @@ -1511,7 +1511,11 @@ pos = (unsigned long)pdev->image_data; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; diff -urN linux/drivers/usb/se401.c linux.grsec/drivers/usb/se401.c --- linux/drivers/usb/se401.c Mon Jul 2 22:56:41 2001 +++ linux.grsec/drivers/usb/se401.c Sun Sep 30 01:54:19 2001 @@ -1388,7 +1388,11 @@ pos = (unsigned long)se401->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#ifdef CONFIG_GRKERNSEC_PAX + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&se401->lock); return -EAGAIN; } diff -urN linux/fs/binfmt_aout.c linux.grsec/fs/binfmt_aout.c --- linux/fs/binfmt_aout.c Fri Jul 20 05:33:38 2001 +++ linux.grsec/fs/binfmt_aout.c Sun Sep 30 01:54:20 2001 @@ -5,6 +5,7 @@ */ #include +#include #include #include @@ -29,6 +30,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif + static int load_aout_binary(struct linux_binprm *, struct pt_regs * regs); static int load_aout_library(struct file*); static int aout_core_dump(long signr, struct pt_regs * regs, struct file *file); @@ -305,6 +310,25 @@ current->mm->mmap = NULL; compute_creds(bprm); current->flags &= ~PF_FORKNOEXEC; +#ifdef CONFIG_GRKERNSEC_STACK + if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) + current->flags |= PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (N_FLAGS(ex) & F_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(N_FLAGS(ex) & F_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + #ifdef __sparc__ if (N_MAGIC(ex) == NMAGIC) { loff_t pos = fd_offset; @@ -391,7 +415,11 @@ down_write(¤t->mm->mmap_sem); error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data, +#ifdef CONFIG_GRKERNSEC_PAX + PROT_READ | PROT_WRITE, +#else PROT_READ | PROT_WRITE | PROT_EXEC, +#endif MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE, fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff -urN linux/fs/binfmt_elf.c linux.grsec/fs/binfmt_elf.c --- linux/fs/binfmt_elf.c Sun Sep 30 01:30:59 2001 +++ linux.grsec/fs/binfmt_elf.c Sun Sep 30 01:54:20 2001 @@ -10,7 +10,7 @@ */ #include - +#include #include #include #include @@ -31,6 +31,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_PAX +#include +#endif #include #include @@ -40,6 +43,10 @@ #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif + static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs); static int load_elf_library(struct file*); static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int); @@ -71,7 +78,10 @@ #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1)) #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1)) -static struct linux_binfmt elf_format = { +#ifndef CONFIG_GRKERNSEC_STACK +static +#endif +struct linux_binfmt elf_format = { NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE }; @@ -133,6 +143,11 @@ } else u_platform = p; +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (current->flags & PF_PAX_RANDMMAP) + u_platform -= (current->mm->delta_stack & ~PAGE_MASK); +#endif + /* * Force 16 byte _final_ alignment here for generality. */ @@ -559,7 +574,48 @@ current->mm->end_data = 0; current->mm->end_code = 0; current->mm->mmap = NULL; +#ifdef CONFIG_GRKERNSEC_PAX + current->mm->delta_mmap = 0; + current->mm->delta_exec = 0; + current->mm->delta_stack = 0; +#endif current->flags &= ~PF_FORKNOEXEC; +#ifdef CONFIG_GRKERNSEC_STACK + if (elf_ex.e_flags & EF_STACKEXEC) + current->flags |= PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + if (!(elf_ex.e_flags & EF_PAX_PAGEEXEC)) + current->flags |= PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (elf_ex.e_flags & EF_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(elf_ex.e_flags & EF_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (!(elf_ex.e_flags & EF_PAX_RANDMMAP)) { + unsigned short delta; + current->flags |= PF_PAX_RANDMMAP; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_mmap = (unsigned long)delta << PAGE_SHIFT; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_exec = (unsigned long)delta << PAGE_SHIFT; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_stack = (unsigned long)delta << 4; + } +#endif + elf_entry = (unsigned long) elf_ex.e_entry; /* Do this so that we can load the interpreter, if need be. We will @@ -596,6 +652,13 @@ base, as well as whatever program they might try to exec. This is because the brk will follow the loader, and is not movable. */ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address at the default exe base if requested */ + if (current->flags | PF_PAX_RANDMMAP) { + load_bias = ELF_PAGESTART(0x08048000 - vaddr + current->mm->delta_exec); + } +#endif + } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags); diff -urN linux/fs/exec.c linux.grsec/fs/exec.c --- linux/fs/exec.c Fri Jul 20 05:32:54 2001 +++ linux.grsec/fs/exec.c Sun Sep 30 01:55:22 2001 @@ -45,6 +45,25 @@ #include #endif +#ifdef CONFIG_OBV_PROC +#include +#endif + + +#ifdef CONFIG_GRKERNSEC_FD +#include +#endif + +#if defined(CONFIG_GRKERNSEC_FD) || defined(CONFIG_GRKERNSEC_EXECVE) ||\ + defined(CONFIG_GRKERNSEC_COREDUMP)||defined(CONFIG_GRKERNSEC_TPE) ||\ + defined(CONFIG_GRKERNSEC_CHROOT_EXECLOG) || defined(CONFIG_GRKERNSEC_STACK) +#include +#endif + +#ifdef CONFIG_GRKERNSEC_CHROOT +extern struct task_struct *child_reaper; +#endif + static struct linux_binfmt *formats; static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED; @@ -276,7 +295,12 @@ goto out; flush_dcache_page(page); flush_page_to_ram(page); +#ifdef CONFIG_GRKERNSEC_PAX + set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, + (tsk->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC)))); +#else set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY)))); +#endif tsk->mm->rss++; spin_unlock(&tsk->mm->page_table_lock); @@ -297,6 +321,12 @@ stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (current->flags & PF_PAX_RANDMMAP) + stack_base = PAGE_MASK & (stack_base - current->mm->delta_stack); + +#endif + bprm->p += stack_base; if (bprm->loader) bprm->loader += stack_base; @@ -310,9 +340,15 @@ { mpnt->vm_mm = current->mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; +#ifdef CONFIG_GRKERNSEC_PAX + mpnt->vm_end = stack_base + MAX_ARG_PAGES*PAGE_SIZE; + mpnt->vm_page_prot = (current->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC; + mpnt->vm_flags = (current->flags & PF_PAX_PAGEEXEC)?VM_STACK_FLAGS:(VM_STACK_FLAGS|VM_EXEC|VM_MAYEXEC); +#else mpnt->vm_end = STACK_TOP; mpnt->vm_page_prot = PAGE_COPY; mpnt->vm_flags = VM_STACK_FLAGS; +#endif mpnt->vm_ops = NULL; mpnt->vm_pgoff = 0; mpnt->vm_file = NULL; @@ -468,6 +504,65 @@ if (atomic_dec_and_test(&oldsig->count)) kmem_cache_free(sigact_cachep, oldsig); } +#ifdef CONFIG_GRKERNSEC_FD +static inline int tweak_fd_open_null(struct linux_binprm *bprm) +{ + struct inode *i; + struct dentry *d; + struct file *f; + + if(!(i = get_empty_inode())) + return -ENOMEM; + if(!(d = dget(d_alloc_root(i)))){ + iput(i); + return -ENOMEM; + } + if(!(f = get_empty_filp())){ + dput(d); + iput(i); + return -ENFILE; + } + i->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; + i->i_uid = current->fsuid; + i->i_gid = current->fsgid; + i->i_rdev = MKDEV(MEM_MAJOR,3); + i->i_blksize = PAGE_SIZE; + i->i_blocks = 0; + i->i_atime = i->i_mtime = i->i_ctime = CURRENT_TIME; + i->i_op = &page_symlink_inode_operations; + i->i_state = I_DIRTY; + f->f_flags = O_RDWR; + f->f_mode = FMODE_READ | FMODE_WRITE; + f->f_dentry = d; + f->f_pos = 0; + f->f_reada = 0; + chrdev_open(i,f); + bprm->tweak_fd_null = f; + return 0; +} + +static int tweak_fd_0_1_2(struct linux_binprm *bprm) +{ + int fd,new,retval; + struct file *f; + f = bprm->tweak_fd_null; + for(fd=0;fd<=2;fd++){ + if(current->files->fd[fd]) continue; + if((new = get_unused_fd()) != fd) { + if(new >= 0) put_unused_fd(new); + return -EMFILE; + } + if(f) + atomic_inc(&f->f_count); + else + if((retval = tweak_fd_open_null(bprm))) + return retval; + fd_install(fd,bprm->tweak_fd_null); + bprm->tweak_fd_mask |= 1 << fd; + } + return 0; +} +#endif /* * These functions flushes out all traces of the currently running executable @@ -558,6 +653,25 @@ current->comm[i++] = ch; } current->comm[i] = '\0'; +#ifdef CONFIG_GRKERNSEC_STACK + current->flags &= ~PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + current->flags &= ~PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + current->flags &= ~PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + current->flags &= ~PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + current->flags &= ~PF_PAX_RANDMMAP; +#endif flush_thread(); @@ -574,7 +688,10 @@ flush_signal_handlers(current); flush_old_files(current->files); - +#ifdef CONFIG_GRKERNSEC_FD + if(grsec_enable_fd && bprm->priv_change) + return tweak_fd_0_1_2(bprm); +#endif return 0; mmap_failed: @@ -604,6 +721,9 @@ { int mode; struct inode * inode = bprm->file->f_dentry->d_inode; +#ifdef CONFIG_GRKERNSEC_FD + if (grsec_enable_fd) bprm->priv_change = 0; +#endif mode = inode->i_mode; /* Huh? We had already checked for MAY_EXEC, WTF do we check this? */ @@ -617,8 +737,16 @@ if(!IS_NOSUID(inode)) { /* Set-uid? */ - if (mode & S_ISUID) - bprm->e_uid = inode->i_uid; +#ifdef CONFIG_GRKERNSEC_FD + if (mode & S_ISUID){ + bprm->e_uid = inode->i_uid; + if(grsec_enable_fd && (bprm->e_uid != current->euid)) + bprm->priv_change = 1; + } +#else + if (mode & S_ISUID) + bprm->e_uid = inode->i_uid; +#endif /* Set-gid? */ /* @@ -626,9 +754,17 @@ * is a candidate for mandatory locking, not a setgid * executable. */ - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) - bprm->e_gid = inode->i_gid; - } +#ifdef CONFIG_GRKERNSEC_FD + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)){ + bprm->e_gid = inode->i_gid; + if(grsec_enable_fd && !in_group_p(bprm->e_gid)) + bprm->priv_change = 1; + } +#else + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) + bprm->e_gid = inode->i_gid; +#endif +} /* We don't have VFS support for capabilities yet */ cap_clear(bprm->cap_inheritable); @@ -648,10 +784,10 @@ cap_set_full(bprm->cap_inheritable); cap_set_full(bprm->cap_permitted); } - if (bprm->e_uid == 0) + + if (bprm->e_uid == 0) cap_set_full(bprm->cap_effective); } - memset(bprm->buf,0,BINPRM_BUF_SIZE); return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); } @@ -699,6 +835,9 @@ current->cap_permitted); } } +#ifdef CONFIG_GRKERNSEC_FD + if (grsec_enable_fd) tweak_fd_0_1_2(bprm); +#endif do_unlock = 1; } @@ -847,6 +986,39 @@ struct file *file; int retval; int i; +#ifdef CONFIG_GRKERNSEC_EXECLOG + int x; + char *grargs; + char grarg[68]; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + if(grsec_enable_chroot_execlog && + !( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + security_alert("exec of %.64s within chroot() jail (%.32s:%lu) by process (%.16s:%d), " + "UID (%d), EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)", + "execs from chroot()",filename,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + } +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + if(grsec_enable_execve && current->user) + if(atomic_read(¤t->user->processes) > current->rlim[RLIMIT_NPROC].rlim_cur) + { + security_alert("Attempt to overstep process limit by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)", + "proc limit overstep", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + return -EAGAIN; + } +#endif file = open_exec(filename); @@ -854,6 +1026,94 @@ if (IS_ERR(file)) return retval; +#ifdef CONFIG_GRKERNSEC_TPE +if (grsec_enable_tpe) { +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC +if (grsec_enable_tpe_glibc) { +#ifdef CONFIG_GRKERNSEC_TPE_ALL +if(grsec_enable_tpe_all?current->uid:in_group_p(grsec_tpe_gid)){ +#else +if(in_group_p(grsec_tpe_gid)){ +#endif + char **envpp=envp,*envpt; + while(*envpp){ + envpt=*envpp; + if((*envpt == 'L') && (*(envpt + 1) == 'D') && + (*(envpt + 2) == '_') && strchr(envpt,'=')){ + security_alert("denied exec of %.32s by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d) reason: " + "malicious environment","denied execs", + filename,current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(file->f_dentry); + return -EACCES; + } + *envpp=*++envpp; + } + if(!strncmp(file->f_dentry->d_name.name,"ld-2.",5) && + !strncmp(file->f_dentry->d_parent->d_name.name,"lib",3)){ + security_alert("denied exec of %.32s by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d) reason: " + "tried to bypass via ld","denied execs", + filename,current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(file->f_dentry); + return -EACCES; + } +} +} +#endif +if((current->uid) && + ((file->f_dentry->d_parent->d_inode->i_uid) || + (!(file->f_dentry->d_parent->d_inode->i_uid) && + ((file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) || + (file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)))) && + (in_group_p(grsec_tpe_gid))){ +security_alert("denied exec of %.32s by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d) reason: " + "untrusted","denied execs", + filename,current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(file->f_dentry); + return -EACCES; +} +#ifdef CONFIG_GRKERNSEC_TPE_ALL +else if(grsec_enable_tpe_all && + (current->uid) && !(((!(file->f_dentry->d_parent->d_inode->i_uid) && + !(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) && + !(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)) || + ((file->f_dentry->d_parent->d_inode->i_uid == current->uid) && + !(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) && + !(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH))))){ +security_alert("denied exec of %.32s by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d) reason:" + " untrusted","denied execs", + filename,current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(file->f_dentry); + return -EACCES; +} +#endif +} +#endif + +#ifdef CONFIG_OBV_PROC +if( ( (obv_search(file->f_dentry,OBV_EXEC,file->f_vfsmnt)) == OBV_DENY) ) { + obv_seclog("denying execution of %.1024s by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + filename,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + fput(file); + return -EPERM; +} +#endif + bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); @@ -867,13 +1127,37 @@ fput(file); return bprm.argc; } +#ifdef CONFIG_GRKERNSEC_EXECLOG + if (grsec_enable_execlog) { + for(x=0;xcomm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + } +#endif if ((bprm.envc = count(envp, bprm.p / sizeof(void *))) < 0) { allow_write_access(file); fput(file); return bprm.envc; } - +#ifdef CONFIG_GRKERNSEC_FD + if (grsec_enable_fd) { + bprm.tweak_fd_mask = 0; + bprm.tweak_fd_null = NULL; + } +#endif retval = prepare_binprm(&bprm); if (retval < 0) goto out; @@ -892,9 +1176,19 @@ goto out; retval = search_binary_handler(&bprm,regs); - if (retval >= 0) + if (retval >= 0) { +#ifdef CONFIG_OBV_PROC + if(obv_set_proc_acl(file->f_dentry,current,filename,file->f_vfsmnt)) { + obv_seclog("could not set acl for %ld %d\n", + file->f_dentry->d_inode->i_ino, + file->f_dentry->d_inode->i_dev); + goto out; + } +#endif + /* execve success */ return retval; + } out: /* Something went wrong, return the inode and free the argument pages*/ @@ -907,7 +1201,13 @@ if (page) __free_page(page); } - +#ifdef CONFIG_GRKERNSEC_FD + if(grsec_enable_fd && bprm.tweak_fd_mask) { + for(i=0;i<=2;i++) + if(bprm.tweak_fd_mask & (1 << i)) + (void)sys_close(i); + } +#endif return retval; } @@ -940,8 +1240,11 @@ goto fail; memcpy(corename,"core.", 5); -#if 0 - memcpy(corename+5,current->comm,sizeof(current->comm)); +#ifdef CONFIG_GRKERNSEC_COREDUMP + if(grsec_enable_coredump) + memcpy(corename+5,current->comm,sizeof(current->comm)); + else + corename[4] = '\0'; #else corename[4] = '\0'; #endif @@ -960,7 +1263,11 @@ goto close_fail; if (!file->f_op->write) goto close_fail; +#ifdef CONFIG_OBV_PROC + if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0) +#else if (do_truncate(file->f_dentry, 0) != 0) +#endif goto close_fail; down_read(¤t->mm->mmap_sem); diff -urN linux/fs/namei.c linux.grsec/fs/namei.c --- linux/fs/namei.c Sun Sep 30 01:30:55 2001 +++ linux.grsec/fs/namei.c Sun Sep 30 01:54:20 2001 @@ -25,8 +25,21 @@ #include #include +#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_FIFO) ||\ + defined(CONFIG_GRKERNSEC_CHROOT) +#include +#endif + +#ifdef CONFIG_OBV_PROC +#include +#endif + #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) +#ifdef CONFIG_GRKERNSEC_CHROOT +extern struct task_struct *child_reaper; +#endif + /* [Feb-1997 T. Schoebel-Theuer] * Fundamental changes in the pathname lookup mechanisms (namei) * were necessary because of omirr. The reason is that omirr needs @@ -309,6 +322,27 @@ if (current->link_count >= 8) goto loop; current->link_count++; +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid && + (dentry->d_parent->d_inode->i_mode & S_IWOTH) && + current->fsuid != dentry->d_inode->i_uid) { + security_alert("not following symlink (%.30s/%.30s) of [%.32s]:%lu owned by %d.%d " + "by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), " + "UID (%d), EUID (%d)","symlinks not followed", + dentry->d_parent->d_name.name, + dentry->d_name.name, + kdevname(dentry->d_inode->i_dev), + dentry->d_inode->i_ino, + dentry->d_inode->i_uid, + dentry->d_inode->i_gid,current->comm, + current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + return -EACCES; + } +#endif UPDATE_ATIME(dentry->d_inode); err = dentry->d_inode->i_op->follow_link(dentry, nd); current->link_count--; @@ -589,6 +623,24 @@ else if (this.len == 2 && this.name[1] == '.') nd->last_type = LAST_DOTDOT; return_base: +#ifdef CONFIG_OBV_PROC + if(nd->dentry) + if( ( (obv_check_hidden(nd->dentry,nd->mnt)) == OBV_DENY) ) { + obv_seclog("attempt to access hidden file " + "with inode %ld dev %d by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n", + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + err = -ENOENT; /*Fake that its not there*/ + goto out_dput; + } +#endif + return 0; out_dput: dput(dentry); @@ -930,6 +982,62 @@ struct dentry *dentry; struct dentry *dir; int count = 0; +#ifdef CONFIG_OBV_PROC + int tmp; + if(nd->flags) { + nd->flags = 0; + if(path_init(pathname,lookup_flags(flag)|LOOKUP_PARENT,nd)) + error = path_walk(pathname,nd); + if(error) return error; + } else { + if(path_init(pathname,lookup_flags(flag),nd)) + error = path_walk(pathname,nd); + if(error) return error; + } + if( (tmp = (flag&O_ACCMODE)) > 0) { + if(tmp & FMODE_READ ) { + if( (obv_search(nd->dentry,OBV_READ,nd->mnt)) == OBV_DENY) { + obv_seclog("attempt to open %.1024s read-only " + "by (%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)\n",pathname, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + goto exit; + } + } + else if(flag & O_APPEND) { + if( (obv_search(nd->dentry,OBV_APPEND,nd->mnt)) == OBV_DENY) { + obv_seclog("attempt to open %.1024s " + "append-only by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + pathname,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + goto exit; + } + } + if(tmp & FMODE_WRITE && (!(flag & O_APPEND))) { /* its write*/ + if( ( (obv_search(nd->dentry,OBV_WRITE,nd->mnt)) == OBV_DENY) ) { + obv_seclog("attempt to open %.1024s " + "for writing by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + pathname,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + goto exit; + } + } + } + path_release(nd); +#endif + acc_mode = ACC_MODE(flag); @@ -1032,12 +1140,32 @@ error = permission(inode,acc_mode); if (error) goto exit; - /* * FIFO's, sockets and device files are special: they don't * actually live on the filesystem itself, and as such you * can write to them even if the filesystem is read-only. */ +#ifdef CONFIG_GRKERNSEC_FIFO + if (grsec_enable_fifo && + S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + inode->i_uid != dentry->d_parent->d_inode->i_uid && + current->fsuid != inode->i_uid) { + if (!permission(inode, acc_mode)) + security_alert("denied writing FIFO (%.32s/%.32s) of %d.%d " + "by (%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)", + "writes into a FIFO denied",dentry->d_parent->d_name.name,dentry->d_name.name, + inode->i_uid, inode->i_gid, + current->comm,current->pid, + current->uid, current->euid, + current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EACCES; + goto exit; + } +#endif if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { flag &= ~O_TRUNC; } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { @@ -1081,7 +1209,11 @@ if (!error) { DQUOT_INIT(inode); +#ifdef CONFIG_OBV_PROC + error = do_truncate(dentry,0,nd->mnt); +#else error = do_truncate(dentry, 0); +#endif } put_write_access(inode); if (error) @@ -1112,6 +1244,29 @@ * stored in nd->last.name and we will have to putname() it when we * are done. Procfs-like symlinks just set LAST_BIND. */ +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid && + (dentry->d_parent->d_inode->i_mode & S_IWOTH) && + current->fsuid != dentry->d_inode->i_uid) { + security_alert("not following symlink (%.30s/%.30s) [%.32s]:%lu of %d.%d " + "by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), " + "UID (%d), EUID (%d)","symlinks not followed", + dentry->d_parent->d_name.name, + dentry->d_name.name, + kdevname(dentry->d_inode->i_dev), + dentry->d_inode->i_ino, + dentry->d_inode->i_uid, + dentry->d_inode->i_gid,current->comm, + current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + error = -EACCES; + goto exit; + } +#endif + UPDATE_ATIME(dentry->d_inode); error = dentry->d_inode->i_op->follow_link(dentry, nd); dput(dentry); @@ -1195,7 +1350,9 @@ char * tmp; struct dentry * dentry; struct nameidata nd; - +#ifdef CONFIG_GRKERNSEC_CHROOT + char grdevmode; +#endif if (S_ISDIR(mode)) return -EPERM; tmp = getname(filename); @@ -1212,6 +1369,50 @@ if (!IS_POSIX_ACL(nd.dentry->d_inode)) mode &= ~current->fs->umask; if (!IS_ERR(dentry)) { +#ifdef CONFIG_GRKERNSEC_CHROOT + if (grsec_enable_chroot && !S_ISFIFO(mode)) { + if(!( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + switch (mode & S_IFMT) { + case S_IFREG: grdevmode = 'r'; break; + case S_IFCHR: grdevmode = 'c'; break; + case S_IFBLK: grdevmode = 'b'; break; + case S_IFSOCK: grdevmode = 's'; break; + default: grdevmode = 'u'; + } + security_alert("refused attempt to mknod(%c:%.32s) (%.30s) from chroot() jail (%s:%lu) " + "owned by %d %d by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), UID " + "(%d), EUID (%d)","chroot() mknods denied",grdevmode,kdevname(dev),tmp, + kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid, + current->comm,current->pid,current->uid,current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid,current->p_pptr->euid); + dput(dentry); + error = -EPERM; + goto out; + } + } +#endif +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY) ) { + obv_seclog("attempt to mknod %.1024s (dev %d) by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + filename,dev,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(dentry); + path_release(&nd); + error = -EPERM; + goto out; + } +#endif + + + + switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(nd.dentry->d_inode,dentry,mode); @@ -1279,9 +1480,26 @@ dentry = lookup_create(&nd, 1); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { +#ifdef CONFIG_OBV_PROC + error = 0; + if( ( ((obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY))){ + obv_seclog("attempt to mkdir %.1024s by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + pathname,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + if(!error) { +#endif + if (!IS_POSIX_ACL(nd.dentry->d_inode)) mode &= ~current->fs->umask; error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); +#ifdef CONFIG_OBV_PROC + } +#endif dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1388,7 +1606,20 @@ dentry = lookup_hash(&nd.last, nd.dentry); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_rmdir(nd.dentry->d_inode, dentry); +#ifdef CONFIG_OBV_PROC + error = 0; + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY)) { + obv_seclog("attempt to rmdir %.1024s by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + pathname,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + if(!error) +#endif + error = vfs_rmdir(nd.dentry->d_inode, dentry); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1451,7 +1682,21 @@ /* Why not before? Because we want correct error value */ if (nd.last.name[nd.last.len]) goto slashes; - error = vfs_unlink(nd.dentry->d_inode, dentry); +#ifdef CONFIG_OBV_PROC + error = 0; + if( ( (obv_search(dentry,OBV_WRITE, nd.mnt)) == OBV_DENY)) { + obv_seclog("attempt to unlink %.1024s by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + name,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + if(!error) +#endif + + error = vfs_unlink(nd.dentry->d_inode, dentry); exit2: dput(dentry); } @@ -1508,6 +1753,19 @@ if (!IS_ERR(to)) { struct dentry *dentry; struct nameidata nd; +#ifdef CONFIG_OBV_PROC + struct nameidata old_nd; + if(path_init(from,LOOKUP_POSITIVE|LOOKUP_FOLLOW,&old_nd)) + if(path_walk(from,&old_nd)) { +#ifdef CONFIG_OBV_DEBUG + printk("Error looking up %s\n",from); +#endif + + path_release(&old_nd); + return -EROFS; + } +#endif + if (path_init(to, LOOKUP_PARENT, &nd)) error = path_walk(to, &nd); @@ -1516,7 +1774,24 @@ dentry = lookup_create(&nd, 0); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_symlink(nd.dentry->d_inode, dentry, from); +#ifdef CONFIG_OBV_PROC + error = 0; + if( obv_search(old_nd.dentry,OBV_WRITE,old_nd.mnt) == OBV_DENY || obv_search(nd.dentry,OBV_WRITE,nd.mnt) == OBV_DENY) { + obv_seclog("attempt to symlink %.1024s " + "to %.1024s by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d) " + "EUID(%d)\n",oldname,newname, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + path_release(&old_nd); + if(!error) +#endif + + error = vfs_symlink(nd.dentry->d_inode, dentry, from); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1607,7 +1882,44 @@ new_dentry = lookup_create(&nd, 0); error = PTR_ERR(new_dentry); if (!IS_ERR(new_dentry)) { - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link) { + error = -EPERM; + if(current->fsuid != old_nd.dentry->d_inode->i_uid && + (!S_ISREG(old_nd.dentry->d_inode->i_mode) || + (old_nd.dentry->d_inode->i_mode & S_ISUID) || + ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == + (S_ISGID | S_IXGRP)) || (error = permission(old_nd.dentry->d_inode, + MAY_READ | MAY_WRITE))) && !capable(CAP_FOWNER) && current->uid) { + security_alert("denied hardlink of %.30s (owned by %d.%d) to %.30s for (%.16s:%d)," + " UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)", + "denied hardlinks",oldname,old_nd.dentry->d_inode->i_uid, + old_nd.dentry->d_inode->i_gid,newname,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + } else { +#endif +#ifdef CONFIG_OBV_PROC + error = 0; + if( obv_search(old_nd.dentry,OBV_WRITE,old_nd.mnt) == OBV_DENY || obv_search(nd.dentry,OBV_WRITE,nd.mnt) == OBV_DENY) { + obv_seclog("attempt to link %.1024s to %.1024s " + "by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d) " + "EUID(%d)\n",oldname,newname, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + if(!error) +#endif + + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); +#ifdef CONFIG_GRKERNSEC_LINK + } + } +#endif dput(new_dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1844,11 +2156,30 @@ error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto exit4; +#ifdef CONFIG_OBV_PROC + error = 0; + if( obv_search(old_dir,OBV_WRITE,oldnd.mnt) == OBV_DENY || obv_search(new_dir,OBV_WRITE,newnd.mnt) == OBV_DENY) { + obv_seclog("attempt to rename %.1024s to %.1024s " + "by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d) " + "EUID(%d)\n",oldname,newname, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } + if(!error) { +#endif - lock_kernel(); - error = vfs_rename(old_dir->d_inode, old_dentry, - new_dir->d_inode, new_dentry); - unlock_kernel(); + + lock_kernel(); + error = vfs_rename(old_dir->d_inode, old_dentry, + new_dir->d_inode, new_dentry); + unlock_kernel(); +#ifdef CONFIG_OBV_PROC + } +#endif dput(new_dentry); exit4: diff -urN linux/fs/open.c linux.grsec/fs/open.c --- linux/fs/open.c Sun Sep 30 01:30:53 2001 +++ linux.grsec/fs/open.c Sun Sep 30 01:54:20 2001 @@ -17,8 +17,35 @@ #include +#if defined(CONFIG_GRKERNSEC_CHROOT)||\ + defined(CONFIG_GRKERNSEC_CHROOT_CAPS) +#include +#endif + +#ifdef CONFIG_OBV_PROC +#include +#endif + #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m)) +#ifdef CONFIG_GRKERNSEC_CHROOT +extern struct task_struct *child_reaper; +#endif + +#ifdef CONFIG_OBV_PROC +static int conv_flags(int p) { + int retval = LOOKUP_FOLLOW; + if(p & O_NOFOLLOW) + retval &= ~LOOKUP_FOLLOW; + if( (p & (O_CREAT|O_EXCL)) == (O_CREAT | O_EXCL)) + retval &= ~LOOKUP_FOLLOW; + if(p & O_DIRECTORY) + retval |= LOOKUP_DIRECTORY; + return retval; +} +#endif + + int vfs_statfs(struct super_block *sb, struct statfs *buf) { int retval = -ENODEV; @@ -70,7 +97,11 @@ return error; } +#ifdef CONFIG_OBV_PROC +int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt) +#else int do_truncate(struct dentry *dentry, loff_t length) +#endif { struct inode *inode = dentry->d_inode; int error; @@ -80,6 +111,22 @@ if (length < 0) return -EINVAL; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(dentry,OBV_WRITE,mnt)) == OBV_DENY)) { + obv_seclog("attempted to truncate file with inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",dentry->d_inode->i_ino, + dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(dentry); + return -EPERM; + } +#endif + + down(&inode->i_sem); down_write(&inode->i_truncate_sem); newattrs.ia_size = length; @@ -135,7 +182,11 @@ error = locks_verify_truncate(inode, NULL, length); if (!error) { DQUOT_INIT(inode); +#ifdef CONFIG_OBV_PROC + error = do_truncate(nd.dentry, length, nd.mnt); +#else error = do_truncate(nd.dentry, length); +#endif } put_write_access(inode); @@ -175,7 +226,11 @@ error = locks_verify_truncate(inode, file, length); if (!error) +#ifdef CONFIG_OBV_PROC + error = do_truncate(dentry, length, file->f_vfsmnt); +#else error = do_truncate(dentry, length); +#endif out_putf: fput(file); out: @@ -229,6 +284,23 @@ if (IS_RDONLY(inode)) goto dput_and_out; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY)) { + obv_seclog("attempted to change access time for file" + "with inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + path_release(&nd); + return -EPERM; + } +#endif + + /* Don't worry, the checks are done in inode_change_ok() */ newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; if (times) { @@ -274,6 +346,23 @@ if (IS_RDONLY(inode)) goto dput_and_out; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY)) { + obv_seclog("attempted to change access time for file with" + "inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + path_release(&nd); + return -EPERM; + } +#endif + + /* Don't worry, the checks are done in inode_change_ok() */ newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; if (utimes) { @@ -325,6 +414,21 @@ res = user_path_walk(filename, &nd); if (!res) { +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY)) { + obv_seclog("attempted to access file with inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + path_release(&nd); + res = -EPERM; + } +#endif + res = permission(nd.dentry->d_inode, mode); /* SuS v2 requires we report a read only fs too */ if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode) @@ -362,6 +466,21 @@ if (error) goto dput_and_out; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_READ,nd.mnt)) == OBV_DENY)) { + obv_seclog("Attempted to chdir to directory with inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + goto dput_and_out; + } +#endif + set_fs_pwd(current->fs, nd.mnt, nd.dentry); dput_and_out: @@ -392,6 +511,21 @@ goto out_putf; error = permission(inode, MAY_EXEC); + +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(file->f_dentry,OBV_WRITE,file->f_vfsmnt)) == OBV_DENY)) { + obv_seclog("attempted to truncate file with inode %ld dev " + "%d by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",file->f_dentry->d_inode->i_ino, + file->f_dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + } +#endif + if (!error) set_fs_pwd(current->fs, mnt, dentry); out_putf: @@ -423,11 +557,46 @@ goto dput_and_out; error = -EPERM; - if (!capable(CAP_SYS_CHROOT)) - goto dput_and_out; + if (!capable(CAP_SYS_CHROOT)) + goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_CHROOT + if(grsec_enable_chroot && + !( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + security_alert("denied attempt to chroot() from (%.32s:%lu) to (%.30s)" + ", process (%.16s:%d), UID (%d), EUID (%d), parent " + "(%16s:%d), UID (%d), EUID (%d)", "double chroot() denied", + kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino,name, + current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + goto dput_and_out; + } +#endif set_fs_root(current->fs, nd.mnt, nd.dentry); set_fs_altroot(); +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if(grsec_enable_chroot_caps && current->pid && current->pid > 1) { + cap_lower(current->cap_permitted,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME & + CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_inheritable,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME & + CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_effective,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME & + CAP_SYS_TTY_CONFIG); + } +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT + if (grsec_enable_chroot) sys_chdir("/"); +#endif error = 0; dput_and_out: path_release(&nd); @@ -456,8 +625,46 @@ err = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out_putf; + +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(dentry,OBV_WRITE,file->f_vfsmnt)) == OBV_DENY)) { + obv_seclog("Attempt to fchmod program with inode %ld dev %d " + "by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",dentry->d_inode->i_ino, + dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + + err = -EPERM; + goto out_putf; + } +#endif + if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_GRKERNSEC_CHROOT + if(grsec_enable_chroot && ((mode & S_ISUID) || (mode & S_ISGID))) { + if(!( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + + security_alert("denied attempt to fchmod() +s (%.32s:%lu) owned by %d.%d to mode 0%07o " + "from chroot() jail (%.32s:%lu) of %d.%d by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)","denied fchmod() +s in chroot()", + kdevname(inode->i_dev),inode->i_ino,inode->i_uid,inode->i_gid,mode, + kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid, + current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + err = -EPERM; + goto out_putf; + } + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); @@ -488,8 +695,43 @@ if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto dput_and_out; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(nd.dentry,OBV_WRITE,nd.mnt)) == OBV_DENY)) { + obv_seclog("Attempt to chmod file %1024s by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d),EUID(%d)\n",filename, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + error = -EPERM; + goto dput_and_out; + } +#endif + + if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_GRKERNSEC_CHROOT + if (grsec_enable_chroot && ((mode & S_ISUID) || (mode & S_ISGID))) { + if(!( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + security_alert("denied attempt to chmod() +s (%.32s:%lu) (%.30s) owned by %d.%d to mode 0%07o " + "from chroot() jail (%.32s:%lu) of %d.%d by (%.16s:%d), UID (%d), " + "EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)","denied fchmod() +s in chroot()", + kdevname(inode->i_dev),inode->i_ino,filename,inode->i_uid,inode->i_gid, + mode,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + error = -EPERM; + goto dput_and_out; + } + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.dentry, &newattrs); @@ -500,7 +742,7 @@ return error; } -static int chown_common(struct dentry * dentry, uid_t user, gid_t group) +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) { struct inode * inode; int error; @@ -514,9 +756,36 @@ error = -EROFS; if (IS_RDONLY(inode)) goto out; +#ifdef CONFIG_GRKERNSEC_NOEXEC + if(in_group_p(CONFIG_GRKERNSEC_NOEXEC_GID) && + (group == CONFIG_GRKERNSEC_NOEXEC_GID)){ + security_alert("denied chown of %.32s by (%.16s:%d), UID(%d), " + "EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d) reason: tried to " + "bypass noexec","denied noexec chowns",dentry->d_name.name,current->comm, + current->pid,current->uid,current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid,current->p_pptr->euid); + return -EPERM; + } +#endif + error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out; +#ifdef CONFIG_OBV_PROC + if( ( (obv_search(dentry,OBV_WRITE,mnt)) == OBV_DENY)) { + obv_seclog("Attempt to chown file with inode %ld dev %d " + "to %d.%d by (%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)\n", + dentry->d_inode->i_ino,dentry->d_inode->i_dev,user,group, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + dput(dentry); + return -EPERM; + } +#endif + if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) @@ -567,7 +836,7 @@ error = user_path_walk(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -580,7 +849,7 @@ error = user_path_walk_link(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -594,7 +863,7 @@ file = fget(fd); if (file) { - error = chown_common(file->f_dentry, user, group); + error = chown_common(file->f_dentry, user, group, file->f_vfsmnt); fput(file); } return error; @@ -618,12 +887,30 @@ { int namei_flags, error; struct nameidata nd; +#ifdef CONFIG_OBV_PROC + struct nameidata obv; +#endif namei_flags = flags; if ((namei_flags+1) & O_ACCMODE) namei_flags++; if (namei_flags & O_TRUNC) namei_flags |= 2; + +#ifdef CONFIG_OBV_PROC + error = 0; + if(path_init(filename,conv_flags(namei_flags),&obv)) + error = path_walk(filename,&obv); + if(error) goto out; + if(!obv.dentry->d_inode) + nd.flags = 1; + else + nd.flags = 0; + path_release(&obv); +out: + +#endif + error = open_namei(filename, namei_flags, mode, &nd); if (!error) diff -urN linux/fs/proc/base.c linux.grsec/fs/proc/base.c --- linux/fs/proc/base.c Sun Sep 30 01:30:59 2001 +++ linux.grsec/fs/proc/base.c Sun Sep 30 01:54:20 2001 @@ -24,6 +24,10 @@ #include #include +#ifdef CONFIG_OBV_PROC +#include +#endif + /* * For hysterical raisins we keep the same inumbers as in the old procfs. * Feel free to change the macro below - just keep the range distinct from @@ -566,6 +570,25 @@ static struct pid_entry base_stuff[] = { E(PROC_PID_FD, "fd", S_IFDIR|S_IRUSR|S_IXUSR), E(PROC_PID_ENVIRON, "environ", S_IFREG|S_IRUSR), +#ifdef CONFIG_GRKERNSEC_PROC_USER + E(PROC_PID_STATUS, "status", S_IFREG|S_IRUSR), + E(PROC_PID_CMDLINE, "cmdline", S_IFREG|S_IRUSR), + E(PROC_PID_STAT, "stat", S_IFREG|S_IRUSR), + E(PROC_PID_STATM, "statm", S_IFREG|S_IRUSR), +#ifdef CONFIG_SMP + E(PROC_PID_CPU, "cpu", S_IFREG|S_IRUSR), +#endif + E(PROC_PID_MAPS, "maps", S_IFREG|S_IRUSR), +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + E(PROC_PID_STATUS, "status", S_IFREG|S_IRUSR|S_IRGRP), + E(PROC_PID_CMDLINE, "cmdline", S_IFREG|S_IRUSR|S_IRGRP), + E(PROC_PID_STAT, "stat", S_IFREG|S_IRUSR|S_IRGRP), + E(PROC_PID_STATM, "statm", S_IFREG|S_IRUSR|S_IRGRP), +#ifdef CONFIG_SMP + E(PROC_PID_CPU, "cpu", S_IFREG|S_IRUSR|S_IRGRP), +#endif + E(PROC_PID_MAPS, "maps", S_IFREG|S_IRUSR|S_IRGRP), +#else E(PROC_PID_STATUS, "status", S_IFREG|S_IRUGO), E(PROC_PID_CMDLINE, "cmdline", S_IFREG|S_IRUGO), E(PROC_PID_STAT, "stat", S_IFREG|S_IRUGO), @@ -575,6 +598,7 @@ E(PROC_PID_CPUS_ALLOWED, "cpus_allowed", S_IFREG|S_IRUGO|S_IWUSR), #endif E(PROC_PID_MAPS, "maps", S_IFREG|S_IRUGO), +#endif E(PROC_PID_MEM, "mem", S_IFREG|S_IRUSR|S_IWUSR), E(PROC_PID_CWD, "cwd", S_IFLNK|S_IRWXUGO), E(PROC_PID_ROOT, "root", S_IFLNK|S_IRWXUGO), @@ -726,7 +750,11 @@ inode->i_gid = 0; if (ino == PROC_PID_INO || task_dumpable(task)) { inode->i_uid = task->euid; +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP inode->i_gid = task->egid; +#else + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#endif } out: @@ -1034,13 +1062,26 @@ if (!task) goto out; +#ifdef CONFIG_OBV_PROC + if(task->obvacl) + if(obv_check_hidden_proc(task)) + goto out; +#endif + + inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO); free_task_struct(task); if (!inode) goto out; +#ifdef CONFIG_GRKERNSEC_PROC_USER + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_base_inode_operations; inode->i_fop = &proc_base_operations; inode->i_nlink = 3; @@ -1082,6 +1123,12 @@ continue; if (--index >= 0) continue; +#ifdef CONFIG_OBV_PROC + if(p->obvacl) + if(obv_check_hidden_proc(p)) + continue; +#endif + pids[nr_pids] = pid; nr_pids++; if (nr_pids >= PROC_MAXPIDS) diff -urN linux/fs/proc/inode.c linux.grsec/fs/proc/inode.c --- linux/fs/proc/inode.c Wed Apr 18 08:16:39 2001 +++ linux.grsec/fs/proc/inode.c Sun Sep 30 01:54:20 2001 @@ -152,7 +152,11 @@ if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = de->gid; +#endif } if (de->size) inode->i_size = de->size; diff -urN linux/fs/read_write.c linux.grsec/fs/read_write.c --- linux/fs/read_write.c Tue Apr 17 23:36:44 2001 +++ linux.grsec/fs/read_write.c Sun Sep 30 01:54:20 2001 @@ -14,6 +14,11 @@ #include +#ifdef CONFIG_OBV_PROC +#include +#endif + + struct file_operations generic_ro_fops = { read: generic_file_read, mmap: generic_file_mmap, @@ -124,6 +129,21 @@ file = fget(fd); if (file) { if (file->f_mode & FMODE_READ) { +#ifdef CONFIG_OBV_PROC + if( (file->f_dentry->d_inode) && (S_ISBLK(file->f_dentry->d_inode->i_mode)) && (!capable(CAP_SYS_RAWIO))) { + obv_seclog("Attempt to read from block file " + "with inode %ld dev %d by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + file->f_dentry->d_inode->i_ino,file->f_dentry->d_inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + fput(file); + return -EPERM; + } +#endif + ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode, file, file->f_pos, count); if (!ret) { @@ -151,6 +171,21 @@ if (file) { if (file->f_mode & FMODE_WRITE) { struct inode *inode = file->f_dentry->d_inode; +#ifdef CONFIG_OBV_PROC + if( (inode != NULL) && (S_ISBLK(inode->i_mode)) && (!capable(CAP_SYS_RAWIO))) { + obv_seclog("Attempt to write to block file " + "with inode %ld dev %d by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), EUID(%d)\n", + inode->i_ino,inode->i_dev, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + fput(file); + return -EPERM; + } +#endif + ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file, file->f_pos, count); if (!ret) { diff -urN linux/fs/readdir.c linux.grsec/fs/readdir.c --- linux/fs/readdir.c Mon Dec 11 22:45:42 2000 +++ linux.grsec/fs/readdir.c Sun Sep 30 01:54:20 2001 @@ -13,6 +13,10 @@ #include +#ifdef CONFIG_OBV_PROC +#include +#endif + int vfs_readdir(struct file *file, filldir_t filler, void *buf) { struct inode *inode = file->f_dentry->d_inode; @@ -120,6 +124,10 @@ struct readdir_callback { struct old_linux_dirent * dirent; int count; +#ifdef CONFIG_OBV_PROC + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int fillonedir(void * __buf, const char * name, int namlen, off_t offset, @@ -127,9 +135,30 @@ { struct readdir_callback * buf = (struct readdir_callback *) __buf; struct old_linux_dirent * dirent; +#ifdef CONFIG_OBV_PROC + ino_t old_ino; +#endif if (buf->count) return -EINVAL; +#ifdef CONFIG_OBV_PROC + if(buf->dentry && buf->dentry->d_inode) { + old_ino = buf->dentry->d_inode->i_ino; + //down(&buf->dentry->d_inode->i_sem); + buf->dentry->d_inode->i_ino = ino; +#ifdef CONFIG_OBV_PROC + printk("Guess what: %ld %d is about to get a readdir check\n",buf->dentry->d_inode->i_ino,buf->dentry->d_inode->i_dev); +#endif + if( obv_check_hidden(buf->dentry,buf->mnt) == OBV_DENY) { + buf->dentry->d_inode->i_ino = old_ino; + //up(&buf->dentry->d_inode->i_sem); + return 0; + } + //up(&buf->dentry->d_inode->i_sem); + buf->dentry->d_inode->i_ino = ino; + } +#endif + buf->count++; dirent = buf->dirent; put_user(ino, &dirent->d_ino); @@ -153,6 +182,10 @@ buf.count = 0; buf.dirent = dirent; +#ifdef CONFIG_OBV_PROC + buf.dentry = file->f_dentry; + buf.mnt = file->f_vfsmnt; +#endif error = vfs_readdir(file, fillonedir, &buf); if (error >= 0) @@ -181,6 +214,10 @@ struct linux_dirent * previous; int count; int error; +#ifdef CONFIG_OBV_PROC + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int filldir(void * __buf, const char * name, int namlen, off_t offset, @@ -189,10 +226,30 @@ struct linux_dirent * dirent; struct getdents_callback * buf = (struct getdents_callback *) __buf; int reclen = ROUND_UP(NAME_OFFSET(dirent) + namlen + 1); +#ifdef CONFIG_OBV_PROC + ino_t old_ino; +#endif buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; +#ifdef CONFIG_OBV_PROC + if(buf->dentry && buf->dentry->d_inode) { + old_ino = buf->dentry->d_inode->i_ino; + //down(&buf->dentry->d_inode->i_sem); + buf->dentry->d_inode->i_ino = ino; +#ifdef CONFIG_OBV_DEBUG + printk("Guess what: %ld %d is about to get a readdir check\n",buf->dentry->d_inode->i_ino,buf->dentry->d_inode->i_dev); +#endif + if( obv_check_hidden(buf->dentry,buf->mnt) == OBV_DENY) { + buf->dentry->d_inode->i_ino = old_ino; + //up(&buf->dentry->d_inode->i_sem); + return 0; + } + buf->dentry->d_inode->i_ino = old_ino; + //up(&buf->dentry->d_inode->i_sem); + } +#endif dirent = buf->previous; if (dirent) put_user(offset, &dirent->d_off); @@ -224,6 +281,10 @@ buf.previous = NULL; buf.count = count; buf.error = 0; +#ifdef CONFIG_OBV_PROC + buf.dentry = file->f_dentry; + buf.mnt = file->f_vfsmnt; +#endif error = vfs_readdir(file, filldir, &buf); if (error < 0) @@ -259,6 +320,10 @@ struct linux_dirent64 * previous; int count; int error; +#ifdef CONFIG_OBV_PROC + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int filldir64(void * __buf, const char * name, int namlen, off_t offset, @@ -267,10 +332,30 @@ struct linux_dirent64 * dirent, d; struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf; int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1); - + +#ifdef CONFIG_OBV_PROC + ino_t old_ino; +#endif buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; +#ifdef CONFIG_OBV_PROC + if(buf->dentry && buf->dentry->d_inode) { + old_ino = buf->dentry->d_inode->i_ino; + //down(&buf->dentry->d_inode->i_sem); + buf->dentry->d_inode->i_ino = ino; + if((obv_check_hidden(buf->dentry,buf->mnt)) == OBV_DENY) { + buf->dentry->d_inode->i_ino = old_ino; + // up(&buf->dentry->d_inode->i_sem); + return 0; + } + buf->dentry->d_inode->i_ino = old_ino; + //up(&buf->dentry->d_inode->i_sem); + } +#endif + + + dirent = buf->previous; if (dirent) { d.d_off = offset; @@ -307,6 +392,11 @@ buf.previous = NULL; buf.count = count; buf.error = 0; +#ifdef CONFIG_OBV_PROC + buf.mnt = file->f_vfsmnt; + buf.dentry = file->f_dentry; +#endif + error = vfs_readdir(file, filldir64, &buf); if (error < 0) diff -urN linux/fs/super.c linux.grsec/fs/super.c --- linux/fs/super.c Sun Sep 30 01:30:55 2001 +++ linux.grsec/fs/super.c Sun Sep 30 01:54:20 2001 @@ -42,6 +42,12 @@ #define __NO_VERSION__ #include +#ifdef CONFIG_GRKERNSEC_CHROOT +#include +#include +extern struct task_struct *child_reaper; +#endif + /* * We use a semaphore to synchronize all mount/umount * activity - imagine the mess if we have a race between @@ -1422,6 +1428,27 @@ retval = path_walk(dir_name, &nd); if (retval) return retval; + +#ifdef CONFIG_GRKERNSEC_CHROOT + if (grsec_enable_chroot && + !( (current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino) ) ) { + security_alert("denied attempt to mount (%.30s) as %.64s from chroot() jail (%.32s:%lu) " + "of %d.%d by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), " + "UID (%d), EUID (%d)","denied mounts in chroot()",dev_name,dir_name, + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + retval = -EPERM; + path_release(&nd); + return retval; + } +#endif + if (flags & MS_REMOUNT) retval = do_remount(&nd, flags&~MS_REMOUNT, diff -urN linux/grsecurity/Config.in linux.grsec/grsecurity/Config.in --- linux/grsecurity/Config.in Thu Jan 1 01:00:00 1970 +++ linux.grsec/grsecurity/Config.in Sun Sep 30 01:54:20 2001 @@ -0,0 +1,124 @@ +mainmenu_option next_comment +comment 'Buffer Overflow Protection' +if [ "$CONFIG_X86" != "n" ]; then +if [ "$CONFIG_GRKERNSEC_PAX" != "y" ]; then +bool 'Openwall non-executable stack' CONFIG_GRKERNSEC_STACK +if [ "$CONFIG_GRKERNSEC_STACK" != "n" ]; then +bool ' Gcc trampoline support' CONFIG_GRKERNSEC_STACK_GCC +fi +fi +if [ "$CONFIG_GRKERNSEC_STACK" != "y" ]; then +bool 'PaX protection' CONFIG_GRKERNSEC_PAX +if [ "$CONFIG_GRKERNSEC_PAX" = "y" ]; then + bool ' Emulate trampolines' CONFIG_PAX_EMUTRAMP + bool ' Restrict mprotect()' CONFIG_PAX_MPROTECT + bool ' Randomize mmap() base' CONFIG_GRKERNSEC_PAX_RANDMMAP +fi +fi +fi +endmenu +mainmenu_option next_comment +comment 'Access Control Lists' +bool 'Enable Oblivion Process Management' CONFIG_OBV_PROC +if [ "$CONFIG_OBV_PROC" = "y" ]; then + int 'Maximum Number of Oblivion Rulesets for Files, Processes' CONFIG_OBV_MAX_RULESET 256 + int 'Seconds in between Oblivion log messages(minimum)' CONFIG_OBV_FLOODTIME 3 + choice 'Default ruleset for programs without acls' \ + "Deny CONFIG_OBV_DEF_DENY \ + Allow CONFIG_OBV_DEF_ALLOW \ + Deny_if_running_as_root CONFIG_OBV_DEF_DENY_ROOT " Allow + bool 'Enable Oblivion Debugging Messages' CONFIG_OBV_DEBUG + string 'Path to obvadm' CONFIG_OBVADM_PATH "/sbin/obvadm" + int 'Maximum tries before password lockout' CONFIG_OBV_MAXTRIES 3 + int 'Time to wait after max password tries, in seconds' CONFIG_OBV_TIMEOUT 30 +fi +endmenu +mainmenu_option next_comment +comment 'Filesystem Protections' +bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC +if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then +bool ' Restrict to user only' CONFIG_GRKERNSEC_PROC_USER +if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then +bool ' Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP +if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then +int ' GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001 +fi +fi +fi +bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK +bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO +bool 'Secure file descriptors' CONFIG_GRKERNSEC_FD +bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT +if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then +bool ' Log execs within jail' CONFIG_GRKERNSEC_CHROOT_EXECLOG +bool ' Capability restrictions' CONFIG_GRKERNSEC_CHROOT_CAPS +fi +bool 'Secure keymap loading' CONFIG_GRKERNSEC_KBMAP +endmenu +mainmenu_option next_comment +comment 'Security Logging' +bool 'Exec logging' CONFIG_GRKERNSEC_EXECLOG +bool 'Set*id logging' CONFIG_GRKERNSEC_SUID +bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL +bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL +bool 'Time change logging' CONFIG_GRKERNSEC_TIME +endmenu +mainmenu_option next_comment +comment 'Executable Protections' +bool 'Exec process limiting' CONFIG_GRKERNSEC_EXECVE +bool 'Fork-bomb protection' CONFIG_GRKERNSEC_FORKBOMB +if [ "$CONFIG_GRKERNSEC_FORKBOMB" != "n" ]; then +int ' GID for restricted users' CONFIG_GRKERNSEC_FORKBOMB_GID 1006 +int ' Forks allowed per second' CONFIG_GRKERNSEC_FORKBOMB_SEC 40 +int ' Maximum processes allowed' CONFIG_GRKERNSEC_FORKBOMB_MAX 20 +fi +bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE +if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then +bool ' Glibc protection' CONFIG_GRKERNSEC_TPE_GLIBC +bool ' Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL +int ' GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005 +fi +endmenu +mainmenu_option next_comment +comment 'Network Protections' +bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID +bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID +bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC +bool 'Altered Ping IDs' CONFIG_GRKERNSEC_RANDPING +bool 'Randomized TTL' CONFIG_GRKERNSEC_RANDTTL +if [ "$CONFIG_GRKERNSEC_RANDTTL" != "n" ]; then +int ' TTL starting point:' CONFIG_GRKERNSEC_RANDTTL_THRESH 64 +fi +bool 'Enhanced network randomness' CONFIG_GRKERNSEC_RANDNET +bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET +if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then +bool ' Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL +if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then +int ' GID to deny all sockets for:' CONFIG_GRKERNSEC_ALL_GID 1004 +fi +bool ' Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT +if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then +int ' GID to deny client sockets for:' CONFIG_GRKERNSEC_CLIENT_GID 1003 +fi +bool ' Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER +if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then +int ' GID to deny server sockets for:' CONFIG_GRKERNSEC_SERVER_GID 1002 +fi +fi +bool 'Stealth networking' CONFIG_GRKERNSEC_STEALTH +if [ "$CONFIG_GRKERNSEC_STEALTH" != "n" ]; then +bool ' Do not send Connection Resets' CONFIG_GRKERNSEC_STEALTH_RST +bool ' Do not reply to UDP with ICMP unreachables' CONFIG_GRKERNSEC_STEALTH_UDP +bool ' Do not reply to ICMP requests' CONFIG_GRKERNSEC_STEALTH_ICMP +bool ' Do not reply to IGMP requests' CONFIG_GRKERNSEC_STEALTH_IGMP +bool ' Drop packets with illegitimate flags' CONFIG_GRKERNSEC_STEALTH_FLAGS +fi +endmenu +mainmenu_option next_comment +comment 'Sysctl support' +bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL +endmenu +mainmenu_option next_comment +comment 'Miscellaneous Enhancements' +bool 'BSD-style coredumps' CONFIG_GRKERNSEC_COREDUMP +endmenu diff -urN linux/include/asm-i386/a.out.h linux.grsec/include/asm-i386/a.out.h --- linux/include/asm-i386/a.out.h Fri Jun 16 20:33:06 1995 +++ linux.grsec/include/asm-i386/a.out.h Sun Sep 30 01:54:20 2001 @@ -18,9 +18,11 @@ #define N_SYMSIZE(a) ((a).a_syms) #ifdef __KERNEL__ - +#ifdef CONFIG_GRKERNSEC_STACK +#define STACK_TOP ((current->flags & PF_STACKEXEC) ? TASK_SIZE - _STK_LIM : TASK_SIZE) +#else #define STACK_TOP TASK_SIZE - +#endif #endif #endif /* __A_OUT_GNU_H__ */ diff -urN linux/include/asm-i386/pgtable.h linux.grsec/include/asm-i386/pgtable.h --- linux/include/asm-i386/pgtable.h Fri Jul 20 21:52:18 2001 +++ linux.grsec/include/asm-i386/pgtable.h Sun Sep 30 01:54:20 2001 @@ -180,9 +180,19 @@ #define _PAGE_CHG_MASK (PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY) #define PAGE_NONE __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED) +#ifdef CONFIG_GRKERNSEC_PAX +#define PAGE_SHARED_EXEC __pgprot(_PAGE_PRESENT | _PAGE_RW |_PAGE_USER |_PAGE_ACCESSED) +#define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) + +#define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED) +#define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#else #define PAGE_SHARED __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED) #define PAGE_COPY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#endif #define __PAGE_KERNEL \ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED) @@ -216,6 +226,15 @@ * This is the closest we can get.. */ #define __P000 PAGE_NONE +#ifdef CONFIG_GRKERNSEC_PAX +#define __P001 PAGE_READONLY_NOEXEC +#define __P010 PAGE_COPY_NOEXEC +#define __P011 PAGE_COPY_NOEXEC +#define __P100 PAGE_READONLY_EXEC +#define __P101 PAGE_READONLY_EXEC +#define __P110 PAGE_COPY_EXEC +#define __P111 PAGE_COPY_EXEC +#else #define __P001 PAGE_READONLY #define __P010 PAGE_COPY #define __P011 PAGE_COPY @@ -223,8 +242,18 @@ #define __P101 PAGE_READONLY #define __P110 PAGE_COPY #define __P111 PAGE_COPY +#endif #define __S000 PAGE_NONE +#ifdef CONFIG_GRKERNSEC_PAX +#define __S001 PAGE_READONLY_NOEXEC +#define __S010 PAGE_SHARED_NOEXEC +#define __S011 PAGE_SHARED_NOEXEC +#define __S100 PAGE_READONLY_EXEC +#define __S101 PAGE_READONLY_EXEC +#define __S110 PAGE_SHARED_EXEC +#define __S111 PAGE_SHARED_EXEC +#else #define __S001 PAGE_READONLY #define __S010 PAGE_SHARED #define __S011 PAGE_SHARED @@ -232,6 +261,7 @@ #define __S101 PAGE_READONLY #define __S110 PAGE_SHARED #define __S111 PAGE_SHARED +#endif /* * Define this if things work differently on an i386 and an i486: diff -urN linux/include/asm-i386/processor.h linux.grsec/include/asm-i386/processor.h --- linux/include/asm-i386/processor.h Fri Jul 20 21:52:18 2001 +++ linux.grsec/include/asm-i386/processor.h Sun Sep 30 01:54:20 2001 @@ -264,12 +264,24 @@ * User space process size: 3GB (default). */ #define TASK_SIZE (PAGE_OFFSET) - +#ifdef CONFIG_GRKERNSEC_STACK +#define MAGIC_SIGRETURN (PAGE_OFFSET + 0xDE0000) +#define MAGIC_RT_SIGRETURN (PAGE_OFFSET + 0xDE0001) +#endif /* This decides where the kernel will search for a free chunk of vm * space during mmap's. */ +#ifdef CONFIG_GRKERNSEC_STACK +extern struct linux_binfmt elf_format; +#define TASK_UNMAPPED_BASE(size) ( \ + current->binfmt == &elf_format && \ + !(current->flags & PF_STACKEXEC) && \ + (size) < 0x00ef0000UL \ + ? 0x00110000UL \ + : TASK_SIZE / 3 ) +#else #define TASK_UNMAPPED_BASE (TASK_SIZE / 3) - +#endif /* * Size of io_bitmap in longwords: 32 is ports 0-0x3ff. */ @@ -360,6 +372,14 @@ unsigned long __cacheline_filler[5]; }; +#ifdef CONFIG_GRKERNSEC_PAX +struct pax_fault_info { + unsigned long eip; + unsigned long addresses[4]; + unsigned long count; +}; +#endif + struct thread_struct { unsigned long esp0; unsigned long eip; @@ -370,6 +390,11 @@ unsigned long debugreg[8]; /* %%db0-7 debug registers */ /* fault info */ unsigned long cr2, trap_no, error_code; +#ifdef CONFIG_GRKERNSEC_PAX +/* PaX fault info */ + struct pax_fault_info pax_faults; +#endif + /* floating point info */ union i387_union i387; /* virtual 86 mode info */ diff -urN linux/include/linux/a.out.h linux.grsec/include/linux/a.out.h --- linux/include/linux/a.out.h Fri Jul 20 21:52:18 2001 +++ linux.grsec/include/linux/a.out.h Sun Sep 30 01:54:20 2001 @@ -37,6 +37,14 @@ M_MIPS2 = 152 /* MIPS R6000/R4000 binary */ }; +#ifdef CONFIG_GRKERNSEC_PAX +/* Constants for the N_FLAGS field */ +#define F_PAX_PAGEEXEC 1 /* Enforce PAGE_EXEC */ +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */ +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */ +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */ +#endif + #if !defined (N_MAGIC) #define N_MAGIC(exec) ((exec).a_info & 0xffff) #endif @@ -56,7 +64,9 @@ #define N_SET_FLAGS(exec, flags) \ ((exec).a_info = \ ((exec).a_info&0x00ffffff) | (((flags) & 0xff) << 24)) - +#ifdef CONFIG_GRKERNSEC_STACK +#define F_STACKEXEC 1 +#endif /* Code indicating object file or impure executable. */ #define OMAGIC 0407 /* Code indicating pure executable. */ diff -urN linux/include/linux/binfmts.h linux.grsec/include/linux/binfmts.h --- linux/include/linux/binfmts.h Fri Jul 20 21:52:18 2001 +++ linux.grsec/include/linux/binfmts.h Sun Sep 30 01:54:20 2001 @@ -1,6 +1,7 @@ #ifndef _LINUX_BINFMTS_H #define _LINUX_BINFMTS_H +#include #include #include @@ -30,6 +31,11 @@ int argc, envc; char * filename; /* Name of binary */ unsigned long loader, exec; +#ifdef CONFIG_GRKERNSEC_FD + int priv_change; + int tweak_fd_mask; + struct file *tweak_fd_null; +#endif }; /* diff -urN linux/include/linux/elf.h linux.grsec/include/linux/elf.h --- linux/include/linux/elf.h Sun Sep 30 01:30:57 2001 +++ linux.grsec/include/linux/elf.h Sun Sep 30 01:54:20 2001 @@ -85,7 +85,9 @@ * up with a final number. */ #define EM_ALPHA 0x9026 - +#ifdef CONFIG_GRKERNSEC_STACK +#define EF_STACKEXEC 1 +#endif /* * This is the old interim value for S/390 architecture */ @@ -254,6 +256,13 @@ #define R_MIPS_LOVENDOR 100 #define R_MIPS_HIVENDOR 127 +#ifdef CONFIG_GRKERNSEC_PAX +/* Constants for the e_flags field */ +#define EF_PAX_PAGEEXEC 1 /* 0: Enforce PAGE_EXEC */ +#define EF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ +#define EF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ +#define EF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ +#endif /* * Sparc ELF relocation types diff -urN linux/include/linux/fs.h linux.grsec/include/linux/fs.h --- linux/include/linux/fs.h Sun Sep 30 01:30:57 2001 +++ linux.grsec/include/linux/fs.h Sun Sep 30 01:54:20 2001 @@ -1048,7 +1048,11 @@ asmlinkage long sys_open(const char *, int, int); asmlinkage long sys_close(unsigned int); /* yes, it's really unsigned */ +#ifdef CONFIG_OBV_PROC +extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *); +#else extern int do_truncate(struct dentry *, loff_t start); +#endif extern struct file *filp_open(const char *, int, int); extern struct file * dentry_open(struct dentry *, struct vfsmount *, int); diff -urN linux/include/linux/grsecurity.h linux.grsec/include/linux/grsecurity.h --- linux/include/linux/grsecurity.h Thu Jan 1 01:00:00 1970 +++ linux.grsec/include/linux/grsecurity.h Sun Sep 30 01:54:20 2001 @@ -0,0 +1,41 @@ +extern int grsec_enable_link; +extern int grsec_enable_fifo; +extern int grsec_enable_fd; +extern int grsec_enable_execve; +extern int grsec_enable_forkbomb; +extern int grsec_forkbomb_gid; +extern int grsec_forkbomb_sec; +extern int grsec_forkbomb_max; +extern int grsec_enable_execlog; +extern int grsec_enable_suid; +extern int grsec_enable_signal; +extern int grsec_enable_coredump; +extern int grsec_enable_forkfail; +extern int grsec_enable_time; +extern int grsec_enable_kbmap; +extern int grsec_enable_randnet; +extern int grsec_enable_chroot; +extern int grsec_enable_chroot_execlog; +extern int grsec_enable_chroot_caps; +extern int grsec_enable_tpe; +extern int grsec_tpe_gid; +extern int grsec_enable_tpe_glibc; +extern int grsec_enable_tpe_all; +extern int grsec_enable_sidcaps; +extern int grsec_enable_randpid; +extern int grsec_enable_randid; +extern int grsec_enable_randsrc; +extern int grsec_enable_randping; +extern int grsec_enable_randttl; +extern int grsec_randttl_thresh; +extern int grsec_enable_socket_all; +extern int grsec_socket_all_gid; +extern int grsec_enable_socket_client; +extern int grsec_socket_client_gid; +extern int grsec_enable_socket_server; +extern int grsec_socket_server_gid; +extern int grsec_enable_stealth_rst; +extern int grsec_enable_stealth_udp; +extern int grsec_enable_stealth_icmp; +extern int grsec_enable_stealth_igmp; +extern int grsec_enable_stealth_flags; diff -urN linux/include/linux/kernel.h linux.grsec/include/linux/kernel.h --- linux/include/linux/kernel.h Tue Jun 12 20:51:43 2001 +++ linux.grsec/include/linux/kernel.h Sun Sep 30 01:57:33 2001 @@ -59,8 +59,12 @@ extern long simple_strtol(const char *,char **,unsigned int); extern unsigned long long simple_strtoull(const char *,char **,unsigned int); extern long long simple_strtoll(const char *,char **,unsigned int); -extern int sprintf(char * buf, const char * fmt, ...); -extern int vsprintf(char *buf, const char *, va_list); +extern int sprintf(char * buf, const char * fmt, ...) + __attribute__ ((format (printf,2,3))); +extern int vsprintf(char *buf, const char *, va_list) + __attribute__ ((format (printf,2,0))); +extern int _vsnprintf(char *buf, int n, const char *, va_list) + __attribute__ ((format (printf,3,0))); extern int get_option(char **str, int *pint); extern char *get_options(char *str, int nints, int *ints); extern unsigned long long memparse(char *ptr, char **retptr); @@ -105,6 +109,47 @@ ((unsigned char *)&addr)[1], \ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[3] +#ifndef CONFIG_OBV_DEBUG +#define obv_seclog(default_msg, args...) \ +({ \ + static unsigned long msg_time = 0, getting_messages = 0; \ + static spinlock_t oblivion_lock = SPIN_LOCK_UNLOCKED; \ + \ + spin_lock(&oblivion_lock); \ + \ + if((!msg_time) || (jiffies - msg_time > CONFIG_OBV_FLOODTIME * HZ)) { \ + getting_messages = 1; \ + msg_time = jiffies; \ + printk(KERN_INFO "oblivion: " default_msg "\n", ##args ); \ + } else if(getting_messages) { \ + msg_time = jiffies; \ + getting_messages = 0; \ + printk(KERN_ALERT "Flooded with msgs. Logging disabled for %i seconds \n", CONFIG_OBV_FLOODTIME); \ + \ + } \ + spin_unlock(&oblivion_lock); \ +}) +#else +#define obv_seclog(msg,args...) printk(KERN_INFO "oblivion " msg "\n", ##args); +#endif + +#define security_alert(normal_msg,flood_msg,args...) \ +({ \ + static unsigned long warning_time = 0, no_flood_yet = 0; \ + static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \ + \ + spin_lock(&security_alert_lock); \ + if(!warning_time || jiffies - warning_time > 30 * HZ) { \ + warning_time = jiffies; no_flood_yet = 1; \ + printk(KERN_ALERT "grsecurity: " normal_msg "\n", ## args); \ + } else if (no_flood_yet) { \ + warning_time = jiffies; no_flood_yet = 0; \ + printk(KERN_ALERT "grsecurity: more " flood_msg \ + ", logging disabled for 30 seconds\n"); \ + } \ + \ + spin_unlock(&security_alert_lock); \ +}) #define HIPQUAD(addr) \ ((unsigned char *)&addr)[3], \ diff -urN linux/include/linux/mm.h linux.grsec/include/linux/mm.h --- linux/include/linux/mm.h Sun Sep 30 01:30:58 2001 +++ linux.grsec/include/linux/mm.h Sun Sep 30 01:54:20 2001 @@ -104,7 +104,11 @@ #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */ #define VM_RESERVED 0x00080000 /* Don't unmap it from swap_out */ +#ifdef CONFIG_GRKERNSEC_PAX +#define VM_STACK_FLAGS 0x00000133 +#else #define VM_STACK_FLAGS 0x00000177 +#endif #define VM_READHINTMASK (VM_SEQ_READ | VM_RAND_READ) #define VM_ClearReadHint(v) (v)->vm_flags &= ~VM_READHINTMASK diff -urN linux/include/linux/oblivion.h linux.grsec/include/linux/oblivion.h --- linux/include/linux/oblivion.h Thu Jan 1 01:00:00 1970 +++ linux.grsec/include/linux/oblivion.h Sun Sep 30 01:54:20 2001 @@ -0,0 +1,145 @@ + +#include + +/* * * * * * * * * * * * * * * * * * * * * + * Oblivion kernel Modification + * Main header file + * Purpose: define most Oblivion data structures + * * * * * * * * * * * * * * * * * * * * */ + +#define OBV_VERSION "oblivion v1.0" + +#define OBV_SHUTDOWN_MODE 0 +#define OBV_ENABLE_MODE 1 +#define OBV_CHCAPS_MODE 2 +#define OBV_AUTH_MODE 3 +#define OBV_GOD_MODE 4 + +/* required headers: , */ + +/* I need to include linux/fs.h in oblivion.c and it would be + * overkill to include kdev_t.h twice(once here and once in fs.h) + * so I just did the other necessary header inclusion before including oblivion.h*/ + + + +#define OBV_MAX_PW_LEN 129 +#define OBV_SHASUM_SIZE 20 +#define OBV_MAX_EXTRA_LEN 1025 + +/* Begin Data Structures */ +struct obv_pw { + char pw[OBV_MAX_PW_LEN]; + char extra[OBV_MAX_EXTRA_LEN]; + __u8 sum[OBV_SHASUM_SIZE]; /* 160-bit SHA hash of the password*/ + __u8 mode; /* On/Off/Restart(Restart is not ready yet..*/ +}; + +struct obv_sum { + __u8 sum[OBV_SHASUM_SIZE]; + ino_t file_inode; + kdev_t file_dev; +}; + +struct obv_sum_db { + struct obv_sum *db; + int max_ref; +}; + + +struct obv_file_acl { + ino_t file_inode; + kdev_t file_dev; + __u32 mode; +}; + +/* When sorting/searching, we can effectively search obv_file_acl and obv_acl structures since their identifying information(inodes/devs) are the same name and their size, due to the above padding, is also the same*/ + +struct obv_file_db { + struct obv_file_acl *db; + int max_ref; +}; + + +/* information about r/w/x info for a file by a process */ +/* Uses a (balanced )binary tree for its implementation...ideas are welcome for + * a more efficient way however=)*/ + +struct obv_proc_acl { + ino_t file_inode; + kdev_t file_dev; + /* to do rules like /tmp * set the dir /tmp rw .. best solution I can find*/ + __u16 mode; + /* you may consider the file inode, file_dev, and mode to(combined) be the key */ + struct obv_proc_acl *left; + struct obv_proc_acl *right; + __u16 height; /* used for avl rebalancing*/ +}; + + + +/* information about a process */ +struct obv_acl { + ino_t file_inode; + kdev_t file_dev; + __u8 mode; + kernel_cap_t file_caps; /* capability set*/ + struct obv_proc_acl *tree; +}; + +/* database - contains process ACLs */ +struct obv_proc_db { + struct obv_acl *db; + int max_ref; +}; + +/* Temporary storage--see kernel/oblivion.c */ +struct obv_temp { + ino_t file_inode; + kdev_t file_dev; + __u16 mode; +}; +/* Begin Capabilities subsection */ + +#define CONFIG_OBV_MAX_CAP 30 + +struct obv_cap { + char * capname; + kernel_cap_t capval; +}; + +struct obv_cap_list { + struct obv_cap table[CONFIG_OBV_MAX_CAP]; +}; +/* End Capabilities subsection */ +/* End Data Structures */ + +/* Begin SHA hash section */ +#define SHA1HANDSOFF /* Copies data before messing with it. */ + +struct SHA1_CTX { + unsigned long state[5]; + unsigned long count[2]; + unsigned char buffer[64]; +}; + +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) + +/* blk0() and blk() perform the initial expand. */ +/* I got the idea of expanding during the round function from SSLeay */ +#ifdef __LITTLE_ENDIAN +#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) +#else +#define blk0(i) block->l[i] +#endif /* __LITTLE_ENDIAN */ +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) + + /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); +/* End SHA hash section */ diff -urN linux/include/linux/obvcipher.h linux.grsec/include/linux/obvcipher.h --- linux/include/linux/obvcipher.h Thu Jan 1 01:00:00 1970 +++ linux.grsec/include/linux/obvcipher.h Sun Sep 30 01:54:20 2001 @@ -0,0 +1,4 @@ +extern void SHA1Init(struct SHA1_CTX *context); +extern void SHA1Update(struct SHA1_CTX *context, unsigned char *data,unsigned int len); +extern void SHA1Final(unsigned char digest[20],struct SHA1_CTX *context); +extern int obv_chkpw(struct obv_pw *entry); diff -urN linux/include/linux/obvdefs.h linux.grsec/include/linux/obvdefs.h --- linux/include/linux/obvdefs.h Thu Jan 1 01:00:00 1970 +++ linux.grsec/include/linux/obvdefs.h Sun Sep 30 01:54:20 2001 @@ -0,0 +1,78 @@ + +/* Begin Status/Return value declarations */ + +#define OBV_ALLOW 1 +#define OBV_NOTFOUND -1 +#define OBV_DENY 0 + +#define OBV_LOADING 0x01 +#define OBV_DISABLED 0x02 +#define OBV_READY 0x04 +#define OBV_1ST 0x08 +/* Debugging mode*/ +#define OBV_TESTING 0x080 + +#ifdef CONFIG_OBV_DEF_DENY +#define OBV_DEFAULT OBV_DENY +#endif +#ifdef CONFIG_OBV_DEF_DENY_ROOT +#define OBV_DEFAULT !(current->euid) ? OBV_DENY : OBV_ALLOW; +#endif +#ifdef CONFIG_OBV_DEF_ALLOW +#define OBV_DEFAULT OBV_ALLOW +#endif + +/* End Status declarations */ + + + + +/* Begin ACL declarations */ +#define OBV_READ 0x01 +#define OBV_APPEND 0x02 +#define OBV_WRITE 0x04 +#define OBV_EXEC 0x08 +#define OBV_HIDDEN 0x10 +#define OBV_OVERRIDE 0x20 /* Override File ACL, useful for proc only*/ +#define OBV_PROTECTED 0x40 + +/* Standard stuff done, on to File ACL stuff */ + +#define OBV_FILE_READ OBV_READ +#define OBV_FILE_APPEND OBV_APPEND +#define OBV_FILE_WRITE (OBV_WRITE | OBV_APPEND) +#define OBV_FILE_EXEC OBV_EXEC +#define OBV_FILE_HIDDEN OBV_HIDDEN + + +#define OBV_PROC_READ OBV_READ +#define OBV_PROC_APPEND OBV_APPEND +#define OBV_PROC_WRITE (OBV_WRITE|OBV_APPEND); /* write access implies append access*/ +#define OBV_PROC_EXEC OBV_EXEC +#define OBV_PROC_ACCESS OBV_HIDDEN +#define OBV_PROC_OVERRIDE OBV_OVERRIDE +#define OBV_PROC_IGN_DEFAULT OBV_IGN_DEFAULT +#define OBV_PROC_HIDDEN OBV_HIDDEN /* Hidden, unkillable(except by init) process. Good for hiding your IDSes / logging daemons:)*/ +#define OBV_PROC_PROTECTED OBV_PROTECTED + +/* Begin TODO */ +#define OBV_REQSUM 0x200 /* Require program to have SHAsum in database*/ +#define OBV_INHERIT 0x400 /* Children inherit parent's process acls*/ +#define OBV_AUTH 0x100 /* Require secondary authentication before execution*/ +#define OBV_FILE_REQSUM OBV_REQSUM +#define OBV_FILE_AUTH OBV_AUTH +#define OBV_PROC_REQSUM OBV_REQSUM +#define OBV_PROC_INHERIT OBV_INHERIT +#define OBV_PROC_AUTH OBV_AUTH +/* End TODO */ + +#define OBV_PROC_EXTRA (OBV_PROC_OVERRIDE|OBV_PROC_REQSUM|OBV_PROC_INHERIT|OBV_PROC_AUTH) +/* Extra things that must be checked after a search*/ + +#define OBV_FILE_EXTRA (OBV_FILE_REQSUM|OBV_FILE_AUTH) +#define OBV_RW (OBV_READ|OBV_WRITE) +#define OBV_RX (OBV_READ|OBV_EXEC) +#define OBV_RWX (OBV_READ|OBV_WRITE|OBV_EXEC) + +/* End ACL Declarations */ + diff -urN linux/include/linux/obvext.h linux.grsec/include/linux/obvext.h --- linux/include/linux/obvext.h Thu Jan 1 01:00:00 1970 +++ linux.grsec/include/linux/obvext.h Sun Sep 30 01:54:20 2001 @@ -0,0 +1,17 @@ +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * Oblivion external header + * Used for sections of the kernel that must access oblivion + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ + +#include +#include +#include + +extern int obv_status; +extern int obv_disable; +extern int obv_check_hidden(struct dentry *dentry, struct vfsmount *mnt); +extern int obv_search(struct dentry *dentry, __u16 mode, struct vfsmount *mnt); +extern int obv_set_proc_acl(struct dentry *dentry,struct task_struct *tsk,char *filename, struct vfsmount *mnt); +extern int obv_check_hidden_proc(struct task_struct *tsk); +extern int obv_check_protected(struct task_struct *tsk); +extern int obv_proc_handler(ctl_table *table,int write, struct file *filp, void *buffer, size_t *lenp); diff -urN linux/include/linux/sched.h linux.grsec/include/linux/sched.h --- linux/include/linux/sched.h Sun Sep 30 01:30:53 2001 +++ linux.grsec/include/linux/sched.h Sun Sep 30 01:56:59 2001 @@ -27,6 +27,10 @@ #include #include +#ifdef CONFIG_OBV_PROC +struct obv_acl; +#endif + /* * cloning flags: */ @@ -225,7 +229,12 @@ unsigned long def_flags; unsigned long cpu_vm_mask; unsigned long swap_address; - +#ifdef CONFIG_GRKERNSEC_PAX + unsigned long delta_mmap; /* PaX: randomized offset */ + unsigned long delta_exec; /* PaX: randomized offset */ + unsigned long delta_stack; /* PaX: randomized offset */ +#endif + unsigned dumpable:1; /* Architecture-specific MM context */ @@ -404,6 +413,10 @@ /* journalling filesystem info */ void *journal_info; +#ifdef CONFIG_OBV_PROC + struct obv_acl *obvacl; +#endif + }; /* @@ -421,6 +434,11 @@ #define PF_USEDFPU 0x00100000 /* task used FPU this quantum (SMP) */ +#define PF_PAX_PAGEEXEC 0x01000000 /* PaX: Enforce PAGE_EXEC */ +#define PF_PAX_EMUTRAMP 0x02000000 /* PaX: Emulate trampolines */ +#define PF_PAX_MPROTECT 0x04000000 /* PaX: Restrict mprotect() */ +#define PF_PAX_RANDMMAP 0x08000000 /* PaX: Randomize mmap() base */ + /* * Ptrace flags */ @@ -428,7 +446,17 @@ #define PT_PTRACED 0x00000001 #define PT_TRACESYS 0x00000002 #define PT_DTRACE 0x00000004 /* delayed trace (used on m68k, i386) */ +#ifdef CONFIG_GRKERNSEC_STACK +#define PF_STACKEXEC 0x01000000 +#endif #define PT_TRACESYSGOOD 0x00000008 + +#ifdef CONFIG_GRKERNSEC_PAX +/* PaX: for handling DTLB trashing */ +#define PT_PAX_TRACE 0x00000020 +#define PT_PAX_KEEPTF 0x00000040 +#define PT_PAX_OLDTF 0x00000080 +#endif /* * Limit the stack by to some sane default: root can always diff -urN linux/include/linux/sysctl.h linux.grsec/include/linux/sysctl.h --- linux/include/linux/sysctl.h Sun Sep 30 01:30:58 2001 +++ linux.grsec/include/linux/sysctl.h Sun Sep 30 01:59:05 2001 @@ -121,6 +121,8 @@ KERN_S390_USER_DEBUG_LOGGING=51, /* int: dumps of user faults */ KERN_NMI_WATCHDOG=52, /* int: nmi_watchdog on/off */ KERN_KDB=53, /* int: kdb on/off */ + KERN_GRSECURITY=68, /* grsecurity */ + KERN_OBV = 69, /* struct obv_pw, controls oblivion*/ }; diff -urN linux/include/net/inetpeer.h linux.grsec/include/net/inetpeer.h --- linux/include/net/inetpeer.h Fri Jul 20 21:52:19 2001 +++ linux.grsec/include/net/inetpeer.h Sun Sep 30 01:54:20 2001 @@ -14,6 +14,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#endif struct inet_peer { @@ -58,7 +61,9 @@ __u16 id; spin_lock_bh(&inet_peer_idlock); - id = p->ip_id_count++; +#ifdef CONFIG_GRKERNSEC_RANDID + get_random_bytes(&id,(sizeof(id) / 2)); +#endif spin_unlock_bh(&inet_peer_idlock); return id; } diff -urN linux/include/net/ip.h linux.grsec/include/net/ip.h --- linux/include/net/ip.h Fri Jul 20 21:53:07 2001 +++ linux.grsec/include/net/ip.h Sun Sep 30 01:54:20 2001 @@ -31,6 +31,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#endif #ifndef _SNMP_H #include @@ -196,7 +199,11 @@ * does not change, they drop every other packet in * a TCP stream using header compression. */ +#ifdef CONFIG_GRKERNSEC_RANDID + get_random_bytes(&iph->id,(sizeof(iph->id) / 2)); +#else iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0); +#endif } else __ip_select_ident(iph, dst); } diff -urN linux/init/main.c linux.grsec/init/main.c --- linux/init/main.c Sun Sep 30 01:30:58 2001 +++ linux.grsec/init/main.c Sun Sep 30 01:54:20 2001 @@ -74,6 +74,12 @@ #include #endif +#ifdef CONFIG_OBV_PROC +#include +#endif + + + /* * Versions of gcc older than that listed below may actually compile * and link okay, but the end product can have subtle run time bugs. @@ -113,6 +119,12 @@ extern void ipc_init(void); #endif +#ifdef CONFIG_OBV_PROC +static __init int obv_setup(char *line); +#endif + + + /* * Boot command-line arguments */ @@ -307,6 +319,19 @@ } __setup("root=", root_dev_setup); + +#ifdef CONFIG_OBV_PROC +static int __init obv_setup(char *str) +{ +#ifdef CONFIG_OBV_DEBUG + obv_seclog("Obv got %.3s at startup\n",str); +#endif + if(*str == '0') obv_disable = 1; + return 1; +} +__setup("oblivion=",obv_setup); +#endif + static int __init checksetup(char *line) { diff -urN linux/kernel/Makefile linux.grsec/kernel/Makefile --- linux/kernel/Makefile Sun Sep 30 01:30:58 2001 +++ linux.grsec/kernel/Makefile Sun Sep 30 01:54:20 2001 @@ -20,6 +20,7 @@ obj-$(CONFIG_MODULES) += ksyms.o obj-$(CONFIG_PM) += pm.o obj-$(CONFIG_KALLSYMS) += kallsyms.o +obj-$(CONFIG_OBV_PROC) += oblivion.o obvqsort.o obvhash.o ifneq ($(CONFIG_IA64),y) # According to Alan Modra , the -fno-omit-frame-pointer is diff -urN linux/kernel/exit.c linux.grsec/kernel/exit.c --- linux/kernel/exit.c Fri May 4 23:44:06 2001 +++ linux.grsec/kernel/exit.c Sun Sep 30 01:54:20 2001 @@ -18,6 +18,15 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDPID +#include +#endif + +#ifdef CONFIG_OBV_PROC +extern void obv_exit(struct task_struct *tsk); +#endif + + extern void sem_exit (void); extern struct task_struct *child_reaper; @@ -419,7 +428,10 @@ } write_unlock_irq(&tasklist_lock); } - +#ifdef CONFIG_GRKERNSEC_RANDPID +pid_t last_pids[64]; +int cur_n_pids; +#endif NORET_TYPE void do_exit(long code) { struct task_struct *tsk = current; @@ -437,9 +449,18 @@ #ifdef CONFIG_BSD_PROCESS_ACCT acct_process(code); #endif +#ifdef CONFIG_OBV_PROC + obv_exit(tsk); +#endif __exit_mm(tsk); lock_kernel(); +#ifdef CONFIG_GRKERNSEC_RANDPID + if(grsec_enable_randpid){ + last_pids[cur_n_pids++] = tsk -> pid; + cur_n_pids &= 63; + } +#endif sem_exit(); __exit_files(tsk); __exit_fs(tsk); diff -urN linux/kernel/fork.c linux.grsec/kernel/fork.c --- linux/kernel/fork.c Wed Jul 18 03:23:28 2001 +++ linux.grsec/kernel/fork.c Sun Sep 30 02:01:52 2001 @@ -19,12 +19,29 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDPID +#include +#endif + +#if defined(CONFIG_GRKERNSEC_FORKFAIL)||defined(CONFIG_GRKERNSEC_RANDPID) \ + || defined(CONFIG_GRKERNSEC_FORKBOMB) +#include +#endif #include #include #include #include +#ifdef CONFIG_OBV_PROC +#include +#endif + +#ifdef CONFIG_GRKERNSEC_RANDPID +extern struct entropy_store *random_state; +extern struct entropy_store *sec_random_state; +#endif + /* The idle threads do not count.. */ int nr_threads; int nr_running; @@ -35,6 +52,13 @@ struct task_struct *pidhash[PIDHASH_SZ]; +#ifdef CONFIG_OBV_PROC +static __inline__ int obv_copy_acl(struct task_struct *tsk) { + tsk->obvacl = current->obvacl; + return 0; +} +#endif + void add_wait_queue(wait_queue_head_t *q, wait_queue_t * wait) { unsigned long flags; @@ -80,9 +104,18 @@ /* Protects next_safe and last_pid. */ spinlock_t lastpid_lock = SPIN_LOCK_UNLOCKED; +#ifdef CONFIG_GRKERNSEC_RANDPID +extern pid_t last_pids[64]; +extern int cur_n_pids; +#endif + static int get_pid(unsigned long flags) { static int next_safe = PID_MAX; +#ifdef CONFIG_GRKERNSEC_RANDPID + int loops; +#endif + struct task_struct *p; if (flags & CLONE_PID) @@ -90,31 +123,69 @@ spin_lock(&lastpid_lock); if((++last_pid) & 0xffff8000) { +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid) +#endif last_pid = 300; /* Skip daemons etc. */ goto inside; } - if(last_pid >= next_safe) { + if(last_pid >= +#ifdef CONFIG_GRKERNSEC_RANDPID + grsec_enable_randpid?2: +#endif + next_safe) { inside: +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid) +#endif next_safe = PID_MAX; read_lock(&tasklist_lock); repeat: +#ifdef CONFIG_GRKERNSEC_RANDPID + if (grsec_enable_randpid) { + if((random_state) || (sec_random_state)){ + do { + get_random_bytes(&last_pid, sizeof(last_pid)); + last_pid %= PID_MAX; + if(last_pid < 0) + last_pid-=(2 * last_pid); + } while (last_pid < 1); + } else + last_pid = 1+((xtime.tv_usec * total_forks) % PID_MAX); + for(loops=0;loops<64;loops++){ + if(last_pids[loops] == last_pid) + goto repeat; + } + } +#endif + for_each_task(p) { if(p->pid == last_pid || p->pgrp == last_pid || p->session == last_pid) { - if(++last_pid >= next_safe) { + if( +#ifdef CONFIG_GRKERNSEC_RANDPID + !grsec_enable_randpid && +#endif + ++last_pid >= next_safe) { if(last_pid & 0xffff8000) last_pid = 300; next_safe = PID_MAX; } goto repeat; } +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid){ +#endif if(p->pid > last_pid && next_safe > p->pid) next_safe = p->pid; if(p->pgrp > last_pid && next_safe > p->pgrp) next_safe = p->pgrp; if(p->session > last_pid && next_safe > p->session) next_safe = p->session; +#ifdef CONFIG_GRKERNSEC_RANDPID + } +#endif } read_unlock(&tasklist_lock); } @@ -534,6 +605,7 @@ return 0; } + static inline void copy_flags(unsigned long clone_flags, struct task_struct *p) { unsigned long new_flags = p->flags; @@ -560,7 +632,11 @@ int retval; struct task_struct *p; struct completion vfork; - +#ifdef CONFIG_GRKERNSEC_FORKBOMB + int sec_forks = 0; + int user_tasks = 0; + unsigned long curr_time = jiffies; +#endif retval = -EPERM; /* @@ -583,6 +659,42 @@ if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur) goto bad_fork_free; +#ifdef CONFIG_GRKERNSEC_FORKBOMB +if(grsec_enable_forkbomb) { +if(in_group_p(grsec_forkbomb_gid)){ + read_lock(&tasklist_lock); + for_each_task(p) + { + if ((p->uid) == current->uid) + { + user_tasks++; + if ( (curr_time - (p->start_time)) <= 100) + sec_forks++; + } + } + read_unlock(&tasklist_lock); + + if (user_tasks >= grsec_forkbomb_max){ + security_alert("max process limit reached with (%s:%d) by UID (%d), " + "EUID (%d), parent (%s:%d), UID (%d), EUID (%d)","max proc limits " + "reached", + current->comm,current->pid,current->uid, + current->euid, current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + goto bad_fork_free; + } else if (sec_forks >= grsec_forkbomb_sec){ + security_alert("fork rate-limit reached with (%s:%d) by UID (%d), " + "EUID (%d), parent (%s:%d), UID (%d), EUID (%d)","fork rate-limits " + "reached", + current->comm,current->pid,current->uid, + current->euid, current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + goto bad_fork_free; + } +} +} +#endif + atomic_inc(&p->user->__count); atomic_inc(&p->user->processes); @@ -654,6 +766,11 @@ goto bad_fork_cleanup_fs; if (copy_mm(clone_flags, p)) goto bad_fork_cleanup_sighand; +#ifdef CONFIG_OBV_PROC + if (obv_copy_acl(p)) + goto bad_fork_cleanup_sighand; +#endif + retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs); if (retval) goto bad_fork_cleanup_mm; @@ -740,6 +857,13 @@ free_uid(p->user); bad_fork_free: free_task_struct(p); +#ifdef CONFIG_GRKERNSEC_FORKFAIL + if(grsec_enable_forkfail) + security_alert("failed fork with errno %d by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), " + "UID (%d), EUID (%d)","failed forks",retval,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif goto fork_out; } diff -urN linux/kernel/oblivion.c linux.grsec/kernel/oblivion.c --- linux/kernel/oblivion.c Thu Jan 1 01:00:00 1970 +++ linux.grsec/kernel/oblivion.c Sun Sep 30 01:54:20 2001 @@ -0,0 +1,1357 @@ +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * Oblivion: A Security-Enhancing Linux Kernel Modification + * Author: Michael Dalton + * E-Mail: shadowrye@linux.com + * Information: This modification is designed to give + * fine-tuned control over processes, to prevent + * the damage of buffer overflows by disallowing them to run or + * write to anything that is abnormal. It also protects files from + * access by unauthorized programs(read only/append only/hidden modes) + * and has capability management features. + * + * Modifications + * 4-20-2001 - Began development of OPM .3 + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ + +/* Access Layers */ + + +/* Files - + * file database -> file info + */ + +/* Process + * process database -> process entry (and capabilities) -> process file access rights + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define OBV_SET_AUTH 1 +#define OBV_SET_INHERIT 2 +#define OBV_SET_PROC 3 + +#define CONFIG_OBV_PROCACL_CONF "/etc/obv/proc.acl" +#define CONFIG_OBV_FILEACL_CONF "/etc/obv/file.acl" +#define CONFIG_OBV_SUM_CONF "/etc/obv/sum.db" +#define CONFIG_OBV_PW_CONF "/etc/obv/pw" +#define CONFIG_OBVADM_ACL CONFIG_OBVADM_PATH ## " fx" +#define CONFIG_GODMODE_ACL "/ frwxoi" +/* i.e. this would become "/sbin/obvadm x" for executable access only to + * /sbin/obvadm (and find it if its hidden) */ + +#define obv_empty_tree (struct obv_proc_acl *) NULL + +#define obv_heightof(tree) ( (tree == obv_empty_tree) ? 0 : (tree->height) ) + +#define INIT_CAP_TABLE(table) \ +table[0].capname = "CAP_CHOWN";\ +table[0].capval = CAP_CHOWN; \ +table[1].capname = "CAP_DAC_OVERRIDE"; \ +table[1].capval = CAP_DAC_OVERRIDE; \ +table[2].capname = "CAP_DAC_READ_SEARCH"; \ +table[2].capval = CAP_DAC_READ_SEARCH; \ +table[3].capname = "CAP_FOWNER"; \ +table[3].capval = CAP_FOWNER; \ +table[4].capname = "CAP_FSETID"; \ +table[4].capval = CAP_FSETID; \ +table[5].capname = "CAP_FS_MASK"; \ +table[5].capval = CAP_FS_MASK; \ +table[6].capname = "CAP_KILL"; \ +table[6].capval = CAP_KILL; \ +table[7].capname = "CAP_SETGID"; \ +table[7].capval = CAP_SETGID; \ +table[8].capname = "CAP_SETUID"; \ +table[8].capval = CAP_SETUID; \ +table[9].capname = "CAP_SETPCAP"; \ +table[9].capval = CAP_SETPCAP; \ +table[10].capname = "CAP_LINUX_IMMUTABLE"; \ +table[10].capval = CAP_LINUX_IMMUTABLE; \ +table[11].capname = "CAP_NET_BIND_SERVICE"; \ +table[11].capval = CAP_NET_BIND_SERVICE; \ +table[12].capname = "CAP_NET_BROADCAST"; \ +table[12].capval = CAP_NET_BROADCAST;\ +table[13].capname = "CAP_NET_ADMIN"; \ +table[13].capval = CAP_NET_ADMIN; \ +table[14].capname = "CAP_NET_RAW"; \ +table[14].capval = CAP_NET_RAW; \ +table[15].capname = "CAP_IPC_LOCK"; \ +table[15].capval = CAP_IPC_LOCK; \ +table[16].capname = "CAP_IPC_OWNER"; \ +table[16].capval = CAP_IPC_OWNER; \ +table[17].capname = "CAP_SYS_MODULE"; \ +table[17].capval = CAP_SYS_MODULE; \ +table[18].capname = "CAP_SYS_RAWIO"; \ +table[18].capval = CAP_SYS_RAWIO; \ +table[19].capname = "CAP_SYS_CHROOT"; \ +table[19].capval = CAP_SYS_CHROOT; \ +table[20].capname = "CAP_SYS_PTRACE"; \ +table[20].capval = CAP_SYS_PTRACE; \ +table[21].capname = "CAP_SYS_PACCT"; \ +table[21].capval = CAP_SYS_PACCT; \ +table[22].capname = "CAP_SYS_ADMIN"; \ +table[22].capval = CAP_SYS_ADMIN; \ +table[23].capname = "CAP_SYS_BOOT"; \ +table[23].capval = CAP_SYS_BOOT; \ +table[24].capname = "CAP_SYS_NICE"; \ +table[24].capval = CAP_SYS_NICE; \ +table[25].capname = "CAP_SYS_RESOURCE"; \ +table[25].capval = CAP_SYS_RESOURCE; \ +table[26].capname = "CAP_SYS_TIME"; \ +table[26].capval = CAP_SYS_TIME; \ +table[27].capname = "CAP_SYS_TTY_CONFIG"; \ +table[27].capval = CAP_SYS_TTY_CONFIG; \ +table[28].capname = "CAP_MKNOD"; \ +table[28].capval = CAP_MKNOD; \ +table[29].capname = "CAP_LEASE"; \ +table[29].capval = CAP_LEASE; + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * Global variables + * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * */ + +int _enable_oblivion_load = 0; +int obv_disable = 0; /* handles boot time disabling of oblivion*/ +static struct obv_proc_db procdb; +static struct obv_file_db filedb; +/* Main variables for holding the rulesets*/ +static spinlock_t obv_lock = SPIN_LOCK_UNLOCKED; +__u8 obv_status = (OBV_1ST | OBV_DISABLED); +struct obv_pw obv_pwent; +struct obv_cap_list *caplist; +struct obv_acl obv_god_mode = { 0,0,0,~0,obv_empty_tree}; +/* iddqd style god mode;) Full caps/access rights*/ +extern kdev_t ROOT_DEV; +struct obv_acl obv_auth = { 0,0,(__u8)OBV_PROC_AUTH,CAP_INIT_EFF_SET,obv_empty_tree }; +/* acl for authentication mode */ + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * Sorting Routines + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ + + + +static __inline__ int obv_procacl_less(const struct obv_temp *a, const struct obv_proc_acl *b) +{ + return ( (a->file_inode < b->file_inode) || ( (a->file_inode == b->file_inode) && (a->file_dev < b->file_dev) ) ) ? 1 : 0; +} + +#define obv_proc_acl_less(a,b) obv_procacl_less(a,b) + +static __inline__ int obv_procacl_eq(const struct obv_temp *a, const struct obv_proc_acl *b) +{ + return ( (a->file_inode == b->file_inode) && (a->file_dev == b->file_dev) ) ? 1:0; +} + + +static __inline__ int obv_acl_eq(const struct obv_acl *a, const struct obv_acl *b) +{ + return ( (a->file_inode == b->file_inode) && (a->file_dev == b->file_dev)) ? 1 : 0; +} + +extern void obv_qsort(void *const pbase,size_t total_elems,size_t size,int (*cmp) (const void *, const void *)); + +/* see obvqsort.c for above. Slightly adapted from gnu libc's qsort*/ + +static __inline__ int obv_file_acl_cmp(const void *va, const void *vb) +{ + struct obv_file_acl *a = (struct obv_file_acl *) va; + struct obv_file_acl *b = (struct obv_file_acl *) vb; + if (a->file_inode < b->file_inode) + return -1; + else if(a->file_inode == b->file_inode) { + if(a->file_dev < b->file_dev) + return -1; + else if(a->file_dev == b->file_dev) + return 0; + } + return 1; +} + +static __inline__ int obv_fileacl_less(const struct obv_file_acl *f1, const struct obv_temp *f2) { + return ( ((f1->file_inode < f2->file_inode)) || (f1->file_inode == f2->file_inode && f1->file_dev < f2->file_dev) ) ? 1 : 0; +} + +static __inline__ int obv_fileacl_eq(const struct obv_file_acl *f1, const struct obv_temp *f2) { + return ( (f1->file_inode == f2->file_inode) && (f1->file_dev == f2->file_dev)) ? 1 : 0; +} +static __inline__ int obv_acl_cmp(const void *va, const void *vb) +{ + struct obv_acl *a = (struct obv_acl *) va; + struct obv_acl *b = (struct obv_acl *) vb; + if (a->file_inode < b->file_inode) + return -1; + + else if(a->file_inode == b->file_inode) { + if(a->file_dev < b->file_dev) + return -1; + else if(a->file_dev == b->file_dev) + return 0; + } + return 1; +} +#define obv_acl_less(a,b) (((obv_acl_cmp((const void *)a,(const void *)b)) < 0)) + +static struct obv_proc_acl * obv_rotl(struct obv_proc_acl *tree) +{ + struct obv_proc_acl *tmp = tree->right; + tree->right = tmp->left; + tmp->left = tree; + if(obv_heightof(tree->left) >= obv_heightof(tree->right)) + tree->height = obv_heightof(tree->left) +1; + else + tree->height = obv_heightof(tree->right) + 1; + if(obv_heightof(tmp->left) >= obv_heightof(tmp->right)) + tmp->height = obv_heightof(tmp->left) + 1; + else + tmp->height = obv_heightof(tmp->right) + 1; + return tmp; +} + +static struct obv_proc_acl * obv_rotr(struct obv_proc_acl *tree) +{ + struct obv_proc_acl *tmp = tree->left; + tree->left = tmp->right; + tmp->right = tree; + if(obv_heightof(tree->left) >= obv_heightof(tree->right)) + tree->height=obv_heightof(tree->left) + 1; + else + tree->height = obv_heightof(tree->right) + 1; + if(obv_heightof(tmp->left) >= obv_heightof(tmp->right)) + tmp->height = obv_heightof(tmp->left) + 1; + else + tmp->height = obv_heightof(tmp->right) + 1; + return tmp; +} + +static struct obv_proc_acl * obv_drlr(struct obv_proc_acl *tree) { + tree->right = obv_rotr(tree->right); + return obv_rotl(tree); +} + +static struct obv_proc_acl * obv_dlrr(struct obv_proc_acl *tree) { + tree->left = obv_rotl(tree->left); + return obv_rotr(tree); +} + + +static void obv_sort(void) +{ + obv_qsort((void *)procdb.db,procdb.max_ref,sizeof(struct obv_acl),obv_acl_cmp); + obv_qsort((void *)filedb.db,filedb.max_ref,sizeof(struct obv_file_acl),obv_file_acl_cmp); +} +#ifdef CONFIG_OBV_OLD_DEBUG +static void obv_list_file_acls(void) +{ + int i; + for(i=0;ifile_inode,head->file_dev,head->mode); + if(head->left != obv_empty_tree) { + obv_seclog("Doing left proc acl\n"); + obv_traverse(head->left); + } + if(head->right != obv_empty_tree) { + obv_seclog("Doing right proc acl\n"); + obv_traverse(head->right); + } +} + +static void obv_list_proc_acls(void) +{ + int i; + for(i=0;if_op->read)) ) { + obv_seclog("Could not open config file %.1024s\n",CONFIG_OBV_PW_CONF); + return 1; + } + filp->f_pos = 0; + set_fs(KERNEL_DS); + retval = filp->f_op->read(filp,obv_pwent.sum,sizeof(obv_pwent.sum)/sizeof(obv_pwent.sum[0]),&filp->f_pos); + set_fs(old_fs); + if(retval != sizeof(obv_pwent.sum)/sizeof(obv_pwent.sum[0])) { + obv_seclog("Invalid pw entry detected, got %d wanted %d\n",retval,sizeof(obv_pwent.sum)); + retval = 1; + } else retval = 0; + filp_close(filp,NULL); + return retval; +} + + + + +static int obv_add_file_acl(char *line) +{ + char *p, *q; + struct nameidata filedata; + int working = 1; + struct obv_file_acl *curr; + + if( (p = memscan(line,'/',strlen(line))) == line + strlen(line) ) { + // obv_seclog("Line %.1024s seems wrong\n",line); + return 0; + } + else curr = &(filedb.db[filedb.max_ref]); + + if( (q = memscan(p,' ',strlen(p))) == p + strlen(p)) + return 0; + *q++ = '\0'; + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filedata)) + if(path_walk(p,&filedata)) { + obv_seclog("Unable to locate file %.1024s\n",p); + //goto out; + return 0; + } + if( !(filedata.dentry) || IS_ERR(filedata.dentry) ) { + obv_seclog("Error adding file acl for file %.1024s\n",p); + // goto out; + return 0; + } + curr->file_inode = filedata.dentry->d_inode->i_ino; + curr->file_dev = filedata.dentry->d_inode->i_dev; + curr->mode = 0; + + while(*q == ' ') q++; + while(working) { + switch(*q) { + case 'r' : + curr->mode |= OBV_FILE_READ; + q++; + break; + case 'h' : + curr->mode |= OBV_FILE_HIDDEN; + q++; + break; + case 'a' : + curr->mode |= OBV_FILE_APPEND; + q++; + break; + case 'w' : + curr->mode |= OBV_FILE_WRITE; + q++; + break; + case 'x': + curr->mode |= OBV_FILE_EXEC; + q++; + break; + /* Note: 's' and 'a' only come into play when something is executed*/ + case 's' : + filedb.db[filedb.max_ref].mode |= OBV_FILE_REQSUM; + q++; + break; + case 'u' : + filedb.db[filedb.max_ref].mode |= OBV_FILE_AUTH; + q++; + break; + default: /* if anything else, the '\0' at the end of the line will hit here and cause us to terminate, so it won't go on indefinately and start accessing memory it shouldn't*/ + working = 0; + break; + } + } +#ifdef CONFIG_OBV_DEBUG + obv_seclog("Added File ACL for inode %ld dev %d with mode %x and max_ref %d\n",curr->file_inode,curr->file_dev,curr->mode,filedb.max_ref); +#endif + filedb.max_ref++; + path_release(&filedata); + return 0; +} + + +static __inline__ struct obv_proc_acl * obv_set(struct obv_temp *data, struct obv_proc_acl *left, struct obv_proc_acl *right,__u16 height) +{ + struct obv_proc_acl *dest = kmalloc(sizeof(struct obv_proc_acl),GFP_KERNEL); + if(dest == NULL) { + obv_seclog("Memory allocation failure, Oblivion panicing\n"); + return procdb.db[procdb.max_ref].tree; + } + dest->file_inode = data->file_inode; + dest->file_dev = data->file_dev; + dest->mode = data->mode; + dest->left = left; dest->right = right; + dest->height = height; + return dest; +} + + +static struct obv_proc_acl * obv_tree_ins(struct obv_proc_acl *tree, struct obv_temp *entry) +{ + if(tree == obv_empty_tree) { + tree = obv_set(entry,obv_empty_tree,obv_empty_tree,0); + return tree; + } + else if(obv_procacl_less(entry,tree)) { + tree->left = obv_tree_ins(tree->left,entry); + if(obv_heightof(tree->left) > obv_heightof(tree->right) + 1) { + if(obv_procacl_less(entry,tree->left)) + tree = obv_rotr(tree); + else + tree = obv_dlrr(tree); + } + } + else /* assuming no duplicate entries*/ { + tree->right = obv_tree_ins(tree->right,entry); + if(obv_heightof(tree->right) > obv_heightof(tree->left) + 1) { + if(obv_procacl_less(entry,tree->right)) + tree = obv_drlr(tree); + else + tree = obv_rotl(tree); + } + } + if(obv_heightof(tree->left) >= obv_heightof(tree->right)) + tree->height = obv_heightof(tree->left) + 1; + else + tree->height = obv_heightof(tree->right) + 1; + return tree; +} + +static kernel_cap_t obv_cap_conv(char *p) +{ + kernel_cap_t cap; + int i; + char *q; + cap_t(cap) = 0; + if(!p) return cap; + if( (q = memscan(p,'\n',strlen(p))) != p + strlen(p)) + *q = '\0'; + + while(*p == ' ') p++; + if( (strncmp(p,"CAP",3)) != 0) + goto out; + for(i=0;itable[i].capname))) { + cap_t(cap) = CAP_TO_MASK(caplist->table[i].capval); + return cap; + } + } +out: + return cap; +} + + +static int obv_add_proc_acl(char *line,struct obv_acl *obv) +{ + char *p, *q; + struct nameidata nd; + int working = 1; + struct obv_temp curr; + if( (p = memscan(line,'+',strlen(line)) ) != line + strlen(line) ) { + cap_t(obv->file_caps) |= cap_t(obv_cap_conv(++p)); + return 0; + } + else if ( (p = memscan(line,'-',strlen(line)) ) != line + strlen(line) ) { + cap_t(obv->file_caps) &= ~cap_t(obv_cap_conv(++p)); + return 0; + } + + else { + if( (p = memscan(line,'/',strlen(line))) == line + strlen(line)) { + obv_seclog("Line %.1024s missing a /\n",line); + return 0; + } + if ( (q = memscan(p,' ',strlen(p))) == p + strlen(p)) { + obv_seclog("Missing a space in obv proc acl entry, line %.1024s\n",line); + return 0; + } + *q++ = '\0'; + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&nd)) + if(path_walk(p,&nd)) { + obv_seclog("path walk failure for %.1024s\n",line); + return 1; + } + if( (!nd.dentry) || (IS_ERR(nd.dentry)) || (!(nd.dentry->d_inode)) ) { + if(nd.dentry) + path_release(&nd); + obv_seclog("lookup failure for %.1024s\n",line); + return 1; + } + curr.file_inode = nd.dentry->d_inode->i_ino; + curr.file_dev = nd.dentry->d_inode->i_dev; + curr.mode = 0; + + while(*q == ' ') q++; + while(working) { + switch(*q) { + case 'r' : + curr.mode |= OBV_PROC_READ; + q++; + break; + case 'w' : + curr.mode |= OBV_PROC_WRITE; + q++; + break; + case 'x' : + curr.mode |= OBV_PROC_EXEC; + q++; + break; + case 'a' : + curr.mode |= OBV_PROC_APPEND; + q++; + break; + case 'f': + curr.mode |= OBV_PROC_ACCESS; + q++; + break; + case 'o': + curr.mode |= OBV_PROC_OVERRIDE; + q++; + break; + case 'u' : + curr.mode |= OBV_PROC_AUTH; + q++; + break; + case 'i' : + curr.mode |= OBV_PROC_INHERIT; + q++; + break; + case 's' : + curr.mode |= OBV_PROC_REQSUM; + q++; + break; + default: + working = 0; + break; + } + } +#ifdef CONFIG_OBV_DEBUG + obv_seclog("About to insert %ld %d %.1024s\n",curr.file_inode,curr.file_dev,line); +#endif + obv->tree = obv_tree_ins(obv->tree,&curr); + path_release(&nd); + return 0; + } + return 1; /* we should never make it here*/ +} + +static int obv_add_pw(char *pw) +{ + struct SHA1_CTX context; + SHA1Init(&context); + SHA1Update(&context,pw,strlen(pw)); + SHA1Final(obv_pwent.sum,&context); + return 0; +} + +static int obv_add_line(char *line, int type) +{ + static int mode = 0; + char *p,*q; + struct dentry *file; + struct nameidata filed; + static struct obv_acl *curr; + int working; + /* mode = 0 : we are ready for a new program acl + * mode = 1 : we are in the middle of reading a program acl*/ + switch(type) { + case 2 : return obv_add_pw(line); + case 1 : return obv_add_file_acl(line); + case 0 : break; /* handled below*/ + default: obv_seclog("Unknown type %d passed\n",type); + return 1; + break; + } + + if(!mode) { + if(procdb.max_ref >= CONFIG_OBV_MAX_RULESET) return 1; + if( (p = memscan (line,'/',strlen(line))) == (line+strlen(line)) ) { + return 0; + } + else curr = &(procdb.db[procdb.max_ref]); + + + q = memscan(p,' ',strlen(p)); + *q++= '\0'; + + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filed) ) + if(path_walk(p,&filed)) { + obv_seclog("Add file error for file %.1024s\n",p); + return 1; + } + file = filed.dentry; + if (IS_ERR(file) || !file || !(file->d_inode)) { + if(file) + path_release(&filed); + return 1; + } + curr->file_inode = file->d_inode->i_ino; + curr->file_dev = file->d_inode->i_dev; + while(*q == ' ') q++; + curr->mode = 0; + working = 1; + while(working) { + switch(*q) { + case 'p': + curr->mode |= OBV_PROC_PROTECTED; + q++; + break; + case 'h': + curr->mode |= OBV_PROC_HIDDEN; + q++; + break; + default: + working = 0; + } + } + curr->file_caps = cap_bset; + mode = 1; +#ifdef CONFIG_OBV_DEBUG + obv_seclog("Added program (full entry) with inode %ld dev %d mode %x line %.1024s\n",curr->file_inode,curr->file_dev,curr->mode,line); +#endif + path_release(&filed); + curr->tree = obv_empty_tree; + return 0; + } + else if( (p=memscan(line,'}',strlen(line))) != (line + strlen(line)) ) { + procdb.max_ref++; + mode = 0; + return 0; + } else { + return obv_add_proc_acl(line,curr); + } +} + +static int obv_init_variables(void) +{ + caplist = kmalloc(sizeof(struct obv_cap_list),GFP_KERNEL); + if(caplist) { + INIT_CAP_TABLE(caplist->table) + } + + procdb.db = kmalloc(sizeof(struct obv_acl) * CONFIG_OBV_MAX_RULESET,GFP_KERNEL); + filedb.db = kmalloc(sizeof(struct obv_file_acl) * CONFIG_OBV_MAX_RULESET,GFP_KERNEL); + procdb.max_ref = filedb.max_ref = 0; + + if( (obv_add_proc_acl(CONFIG_OBVADM_ACL,&obv_auth)) ) + return 1; + else if( (obv_add_proc_acl(CONFIG_GODMODE_ACL,&obv_god_mode)) ) + return 1; + else if( (obv_add_proc_acl("/etc r",&obv_auth)) ) + return 1; + else if( (obv_add_proc_acl("/lib r",&obv_auth)) ) + return 1; + + return procdb.db && filedb.db && caplist ? 0 : 1; +} + + +static int obv_conf_parse(const char *conffile,const int type) +{ + /* Purpose: open and read from oblivion config file */ + struct file *filp; + int bytes_read = 0, start = 0, end = 0, obv_fatal = 0; + char buffer[1024]; + char *filepos = NULL,*memscanp = NULL; + mm_segment_t old_fs; + filepos = buffer; + filp = filp_open(conffile, O_RDONLY, O_RDONLY); + if( ( IS_ERR(filp) ) || (filp == NULL) ) { + obv_seclog("Could not open config file %.1024s\n",conffile); + + obv_fatal = 1; + return obv_fatal; + } else if ( filp->f_op->read == NULL ) { + fput(filp); + obv_fatal = 2; + return obv_fatal; + } + /* end error checking, now for the real work */ + while ( ! end ) { + filp->f_pos = start; /* offset of our read :) */ + old_fs = get_fs(); + filepos = buffer; + /* if current task isn't from the kernel, we'll + have a current->addr_limit.seg that isn't 0xFFFFFFFF + + and we can't have that */ + set_fs(KERNEL_DS); + bytes_read = filp->f_op->read (filp,buffer,1024,&filp->f_pos); + set_fs(old_fs); + if(bytes_read < 1024 ) { + end = 1; + filepos[bytes_read++] = '\n'; /* last line + must make sure we have a newline */ + } while ( ( memscanp = memscan(filepos,'\n',sizeof(buffer)) ) != filepos + bytes_read && (bytes_read > 0) ) { + *memscanp++ = '\0' ; + /* necessary for later strlen()'s...*/ + bytes_read -= memscanp-filepos; + filp->f_pos += memscanp-filepos; + if( (*filepos != '#') ) + if(obv_add_line(filepos,type)) + return 1; + filepos = memscanp; /* next area to search .. */ + } + if (bytes_read == 1024 ) { + /* hmmm we got a return for no \n in the buffer + must be too long of a line */ + break; + } + } + filp_close(filp,NULL); + return obv_fatal; +} + +static void obv_free_unused_memory(void) { + int i; + if(procdb.max_ref < CONFIG_OBV_MAX_RULESET) + for(i = procdb.max_ref;i < CONFIG_OBV_MAX_RULESET;i++) { + kfree(&procdb.db[i]); + } + if(filedb.max_ref < CONFIG_OBV_MAX_RULESET) + for(i = filedb.max_ref;i < CONFIG_OBV_MAX_RULESET;i++) { + kfree(&filedb.db[i]); + } +} + +static int oblivion_init(void) +{ + int error = 0; + spin_lock(&obv_lock); + obv_status &= ~OBV_DISABLED; + obv_status |= OBV_LOADING; + /* okay we're the only oblivion_init that can run due to the spinlock*/ + if(obv_init_variables() ) + error = -1; + else if(obv_add_pw_conf()) + error = -2; + else if (obv_conf_parse(CONFIG_OBV_PROCACL_CONF,0)) + error = -3; + else if(obv_conf_parse(CONFIG_OBV_FILEACL_CONF,1)) + error = -4; + obv_sort(); + if(!error) { + obv_free_unused_memory(); + obv_status |= OBV_READY; /* locked, cocked, and ready to rock*/ + }else { + obv_status |= OBV_DISABLED; + obv_seclog("Error loading , trying to run kernel with oblivion disabled. To disable oblivion at startup use oblivion=off from your boot loader\n"); + } + obv_status &= ~OBV_LOADING; + spin_unlock(&obv_lock); + return error; +} + +/* * * * * * * * * * * * * * * * * * * * * * * + * Begin Misc Section + * * * * * * * * * * * * * * * * * * * * * * */ + +/* Searching stuff, program exit cleanup, and sysctl parsing */ + +/* Nonrecursive binary sort, idea from libc, implementation is slightly different but the inspirationw as found there=) */ + +static __inline__ int do_obv_file_acl_search(struct obv_temp *curr) +{ + int high, low; + struct obv_file_acl *pos; + high = filedb.max_ref; + low = 0; + while(low < high) { + pos = &filedb.db[((low+high)/2)]; + if(obv_fileacl_less(pos,curr)) + low = (( (low + high) / 2) + 1 ); + else if(obv_fileacl_eq(pos,curr)) { + if(pos->mode & curr->mode) { +#ifdef CONFIG_OBV_DEBUG + obv_seclog("File ACL allow, req %x allowed %x\n source: %ld %d dest %ld %d\n",curr->mode,pos->mode,pos->file_inode,pos->file_dev,curr->file_inode,curr->file_dev); +#endif + return OBV_ALLOW; + } + else { +#ifdef CONFIG_OBV_DEBUG + if(!(curr->mode & OBV_FILE_HIDDEN)) + obv_seclog("File ACL deny, req %x allowed %x\n source %ld %d dest %ld %d\n",curr->mode,pos->mode,pos->file_inode,pos->file_dev,curr->file_inode,curr->file_dev); +#endif + return OBV_DENY; + } + } + else high = ( (low + high) / 2); + } + return OBV_NOTFOUND; +} + +static __inline__ int do_obv_proc_acl_search(struct obv_acl *proc,struct obv_proc_acl *root,struct obv_temp *curr) +{ + /* Nonrecursively search down the Red-Black tree to see if we have an acl for this file*/ + struct obv_proc_acl *pos = root; + if(proc == NULL || pos == NULL) /* no entry*/ { + return OBV_DEFAULT; + } + // obv_seclog("Got called...and there's an entry (curr is %ld %d\n",curr->file_inode,curr->file_dev); + while(pos != obv_empty_tree) { + if(obv_procacl_eq(curr,pos)) { + if(curr->mode & pos->mode) { + __u16 tmp; +#ifdef CONFIG_OBV_DEBUG + obv_seclog("Process %ld %d allowed for file %ld %d tried for mode %x allowed mode %x\n",proc->file_inode,proc->file_dev,curr->file_inode,curr->file_dev,curr->mode,pos->mode); +#endif + tmp = pos->mode & OBV_PROC_EXTRA; + curr->mode |= tmp; /* Store any "extra" access rights like + inherit or override*/ + return OBV_ALLOW; + } else { +#ifdef CONFIG_OBV_DEBUG + obv_seclog("Process %ld %d denied for file %ld %d tried for mode %x allowed mode %x\n",proc->file_inode,proc->file_dev,curr->file_inode,curr->file_dev,curr->mode,pos->mode); +#endif + return OBV_DENY; + } + } + else if(obv_procacl_less(curr,pos)) + pos = pos->left; + else + pos=pos->right; + } + + return OBV_NOTFOUND; +} + +static __inline__ int obv_chk_proc_acls(struct dentry * dentry, struct obv_temp *searchval, struct vfsmount *mnt) +{ + struct dentry *curr = dentry; + int retval = OBV_NOTFOUND; + struct nameidata tmp = {NULL, NULL}; + struct vfsmount *parent; + +loop : + do { + if(!curr || !curr->d_inode) break; + searchval->file_inode = curr->d_inode->i_ino; + searchval->file_dev = curr->d_inode->i_dev; + retval = do_obv_proc_acl_search(current->obvacl,current->obvacl->tree,searchval); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (retval == OBV_NOTFOUND) ); + if(retval == OBV_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV ) { +#ifdef CONFIG_OBV_DEBUG + obv_seclog("In mount loop(proc acl) for %ld %d\n",dentry->d_inode->i_ino,dentry->d_inode->i_dev); +#endif + if(tmp.mnt) { + if(tmp.mnt == tmp.mnt->mnt_parent) goto exit; + } + else if(mnt == mnt->mnt_parent) goto exit; + + + if(!tmp.mnt) { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + + return retval == OBV_NOTFOUND ? OBV_DENY : retval; + /* if its not in a program's ACL list it should be denied */ + +} + +static __inline__ int obv_chk_file_acls(struct dentry * dentry, struct obv_temp *searchval, struct vfsmount *mnt) +{ + struct dentry *curr = dentry; + int retval = OBV_NOTFOUND; + struct vfsmount *parent; + struct nameidata tmp = {NULL,NULL}; +loop: + do { + if(!curr || !curr->d_inode) break; + searchval->file_inode = curr->d_inode->i_ino; + searchval->file_dev = curr->d_inode->i_dev; + retval = do_obv_file_acl_search(searchval); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (retval == OBV_NOTFOUND) ); + + if(retval == OBV_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV ) { + if(tmp.mnt) { + if(tmp.mnt == tmp.mnt->mnt_parent) goto exit; + } + else if(mnt == mnt->mnt_parent) goto exit; + if(!tmp.mnt) { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + + + return retval; + } + + +int obv_check_hidden(struct dentry *dentry, struct vfsmount *mnt) { + /* This has to be done a little differently than a normal search. + * If a file "allows" hidden access it is hidden, and thus requires + * a process that has hidden file access capabilities to access it. + * If the file acl denies hidden access/has no acl then no proc acl + * check is needed*/ + struct obv_temp searchval; + searchval.mode = OBV_HIDDEN; + if(!dentry) return OBV_ALLOW; + if(obv_status & OBV_READY) { + if( (obv_chk_file_acls(dentry,&searchval,mnt)) == OBV_ALLOW) { + if(current->obvacl && current->obvacl->tree) + return obv_chk_proc_acls(dentry,&searchval,mnt); + else return OBV_DENY; + } + } + return OBV_ALLOW; +} + +int obv_check_hidden_proc(struct task_struct *tsk) +{ + if(obv_status & OBV_READY) + if(tsk->obvacl->mode & OBV_PROC_HIDDEN) + return 1; /* next release adds processes allowed to view hidden ones*/ + return 0; +} + +int obv_check_protected(struct task_struct *tsk) +{ + if(obv_status & OBV_READY) + if(tsk->obvacl->mode & OBV_PROC_PROTECTED) + return 1; + return 0; +} + + +int obv_search(struct dentry *dentry, __u16 mode, struct vfsmount *mnt) +{ + int proc_retval = OBV_NOTFOUND, file_retval = OBV_NOTFOUND; + int retval = OBV_DEFAULT; + if(dentry && dentry->d_inode && mnt) { + if(obv_status & OBV_READY) { + struct obv_temp searchval; + searchval.mode = mode; + if(current->obvacl && current->obvacl->tree) { + if( ( proc_retval = obv_chk_proc_acls(dentry,&searchval,mnt) ) == OBV_DENY) { + if( (current->obvacl->mode & OBV_AUTH) && (S_ISCHR(dentry->d_inode->i_mode))) + retval = OBV_NOTFOUND; + /* Okay. This process is under + * authentication mode. Let it + * read/write to the tty (and pass it on + * to the file acls just in case + * Does anyone know how to gain the ino$ + * from current->tty? It seems only the + * device num(major/minor) is stored*/ + + else { + retval = OBV_DENY; + goto out; + } + } + } + + + if( (proc_retval == OBV_ALLOW) && (searchval.mode & OBV_PROC_OVERRIDE)){ + retval = OBV_ALLOW; + goto out; + } + + if( (file_retval = obv_chk_file_acls(dentry,&searchval,mnt)) == OBV_DENY) { + retval = OBV_DENY; + goto out; + } + + if( (proc_retval != file_retval) || (proc_retval == OBV_ALLOW)) { + /* The choice to check for proc_retval being OBV_ALLOW was + * random. If proc_retval and file_retval are equal and + * either one is the value OBV_ALLOW then both are OBV_ALLOW + * */ + retval = OBV_ALLOW; + goto out; + } + } else retval = OBV_ALLOW; /* we aren't loaded, must be early in bootup*/ + } +out: + return retval; /* Else both returned OBV_NOTFOUND..must be the default*/ +} + + +static __inline__ struct obv_acl * do_obv_find_proc(struct obv_acl *curr) +{ + int high,low; + struct obv_acl *pos; + low = 0; + high = procdb.max_ref; + while(low < high) { + pos = &procdb.db[((low+high)/2)]; + if(obv_acl_less(pos,curr)) + low = ( ( (low + high) / 2) +1 ); + else if(obv_acl_eq(pos,curr)) + return pos; + else + high = ( (high + low) / 2); + } + return NULL; +} + +static int __inline__ obv_chk_inherit(struct dentry *dentry, struct vfsmount *mnt) +{ + struct obv_temp temp; + temp.mode = OBV_PROC_INHERIT; + if( (obv_chk_proc_acls(dentry,&temp,mnt)) == OBV_ALLOW) + return 1; + return 0; +} + +static int __inline__ obv_chk_auth(struct dentry *dentry, struct vfsmount *mnt) +{ + struct obv_temp temp; + temp.mode = OBV_PROC_AUTH; + if( (obv_chk_proc_acls(dentry,&temp,mnt)) == OBV_ALLOW) + return 1; + return 0; +} + +static int obv_do_auth(void) +{ +#define OBV_AUTH_MSG "Authorize yourself to Oblivion please\n" + + char *p = OBV_AUTH_MSG; + if(!(current->tty) || (!current->tty->driver.write)) return 1; + current->tty->driver.write(current->tty,0,p,strlen(p)); + current->obvacl = &obv_auth; + return 0; +} + +static int do_set_proc_acl(struct dentry *dentry, struct vfsmount *mnt, int mode) +{ + struct vfsmount *parent; + struct nameidata tmp = {NULL, NULL}; + struct obv_acl curracl, *retval = NULL; + struct dentry *curr = dentry; + + + switch(mode) { + case OBV_SET_AUTH: + return obv_chk_auth(dentry,mnt); + break; + case OBV_SET_INHERIT: + return obv_chk_inherit(dentry,mnt); + break; + case OBV_SET_PROC: + break; + default : + obv_seclog("BUG! Received unknown mode %d for set_proc_acl\n",mode); + return (unsigned long)NULL; + break; + } + /* Okay now we handle OBV_SET_PROC */ +loop: + do { + + if(!curr || !curr->d_inode) break; + curracl.file_inode = curr->d_inode->i_ino; + curracl.file_dev = curr->d_inode->i_dev; + retval = do_obv_find_proc(&curracl); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (!retval) ); + if(!retval && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV) { + if(tmp.mnt) { + if(tmp.mnt == tmp.mnt->mnt_parent) + goto exit; + } + else if(mnt == mnt->mnt_parent) + goto exit; + + if(!tmp.mnt) { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + return (unsigned long)retval; + +} + +static int do_obv_inherit(void) +{ + return 0; + /* Note: for copying due to fork() we use the code the oblivin code in + * kernel/fork.c. If we're inheriting then our current ACL + * (that of the program calling execve) is the ACL we inherit, + * so no work needs to be done. Just return success + */ +} + + +int obv_set_proc_acl(struct dentry *dentry,struct task_struct *tsk,char *filename, struct vfsmount *mnt) +{ + struct obv_acl *temp = NULL; + if(obv_status & OBV_READY) { + if(current->obvacl) { + if(do_set_proc_acl(dentry,mnt,OBV_SET_INHERIT)) + return do_obv_inherit(); + + else if(do_set_proc_acl(dentry,mnt,OBV_SET_AUTH)) + return obv_do_auth(); + } + temp = (struct obv_acl *)do_set_proc_acl(dentry,mnt,OBV_SET_PROC); + } + tsk->obvacl = temp; + if(tsk->obvacl) + tsk->cap_permitted = tsk->cap_effective = tsk->obvacl->file_caps; + return 0; +} + + +void obv_exit(struct task_struct *tsk) +{ + tsk->obvacl = NULL; +} + +static int obv_chcaps(struct obv_pw *entry) +{ + char *p = entry->extra; + char *q; + char *mode; + p[OBV_MAX_EXTRA_LEN-1] = '\0'; /* take no chances*/ + while( (q = memscan(p,'\n',strlen(p))) != p + strlen(p)) { + mode = p++; + *q++ = '\0'; + switch(*mode) { + case '+' : + cap_bset |= cap_t(obv_cap_conv(p)); + break; + case '-' : + cap_bset &= ~cap_t(obv_cap_conv(p)); + break; + default: + break; + } + p = q; + } +#ifdef CONFIG_OBV_DEBUG + obv_seclog("cap bset is now %x\n",cap_bset); +#endif + return 0; +} + +/* The following variables are needed for timer manipulation */ +static struct timer_list obv_badpw; +static int failures = 0; +static int during_wait = 0; + +static void obv_timer(unsigned long ignored) +{ + failures = 0; + during_wait = 0; + del_timer(&obv_badpw); +} + +int obv_proc_handler(ctl_table *table, int write, struct file *filp, void *buffer, size_t *lenp) +{ + /* This is the main todo. simply I allow disabling oblivion only + * at bootup(after its turned on). I don't have time today to + * impelement a good pw scheme. The first thing I do when I get back is to do that. + */ + struct obv_pw *usermode = (struct obv_pw *) buffer; + int error = sizeof(struct obv_pw); + if(*lenp != sizeof(struct obv_pw)){ + obv_seclog("Proc handler: being fed garbage %d byte send %d required\n",*lenp,sizeof(struct obv_pw)); + return -EINVAL; + } + if(during_wait) return -EPERM; + switch (usermode->mode){ + case OBV_SHUTDOWN_MODE: + if(!(obv_chkpw(usermode))) { + obv_seclog("shutdown auth success for " + "(%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)\n", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + spin_lock(&obv_lock); + obv_status &= ~OBV_READY; + obv_status |= OBV_DISABLED; + spin_unlock(&obv_lock); + break; + } else + error = -EPERM; + break; + case OBV_ENABLE_MODE: + if(obv_disable) { + obv_seclog("Disabled at boot time, ignoring load request\n"); + break; + } + else if(obv_status & OBV_1ST) { + obv_seclog("Loading %.32s\n",OBV_VERSION); + oblivion_init(); + spin_lock(&obv_lock); + obv_status &= ~OBV_1ST; + spin_unlock(&obv_lock); + break; + } + else { + obv_seclog("%.32s already loaded, re-enabling\n",OBV_VERSION); + spin_lock(&obv_lock); + obv_status &= ~OBV_DISABLED; + obv_status |= OBV_READY; + spin_unlock(&obv_lock); + break; + } + + case OBV_CHCAPS_MODE : + if(obv_status & OBV_1ST) { + oblivion_init(); + } + if(obv_status & OBV_1ST || !(obv_chkpw(usermode))) { + if(!(obv_chcaps(usermode))) { + obv_seclog("successful capability change by " + "(%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)\n", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + + } + obv_status &= ~OBV_1ST; + } + else + error = -EPERM; + break; + case OBV_GOD_MODE: + if(!(obv_chkpw(usermode))) { + obv_seclog("successful change to admin mode by " + "(%.16s:%d), UID (%d), EUID (%d), parent " + "(%.16s:%d), UID (%d), EUID (%d)\n", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + if(current->p_pptr) + current->p_pptr->obvacl = &obv_god_mode; + } + else + error = -EPERM; + break; + case OBV_AUTH_MODE: + if(!(obv_chkpw(usermode)) ) { + obv_seclog("successful authentication by " + "(%.16s:%d), UID (%d), EUID (%d), parent " + "(%.16s:%d), UID (%d), EUID (%d)\n", + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + if(current->p_pptr) + current->p_pptr->obvacl = NULL; + /* The parent invoked obvadm, it is the + * task that we must deal with */ + } + else + error = -EPERM; + break; + + default: + obv_seclog("Invalid value %d by " + "(%.16s:%d), UID(%d), EUID(%d), parent " + "(%.16s:%d), UID(%d), EUID(%d)\n",usermode->mode, + current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + break; + } + + if(error < 0) { + failures++; + if(failures > CONFIG_OBV_MAXTRIES) { + obv_seclog("Maximum pw attempts reached, locking " + "password authentication\n"); + init_timer(&obv_badpw); + obv_badpw.data = 0; + obv_badpw.function = obv_timer; + obv_badpw.expires = jiffies + CONFIG_OBV_TIMEOUT*HZ; + add_timer(&obv_badpw); + during_wait = 1; + } + } + + return error; +} diff -urN linux/kernel/obvhash.c linux.grsec/kernel/obvhash.c --- linux/kernel/obvhash.c Thu Jan 1 01:00:00 1970 +++ linux.grsec/kernel/obvhash.c Sun Sep 30 01:54:20 2001 @@ -0,0 +1,160 @@ +#include +#include +#include +#include +#include + +/* +Modified for use in OPM by Michael Dalton +Modified for kerneli by Andrew McDonald +from: + +SHA-1 in C +By Steve Reid +100% Public Domain +Available from: +ftp://ftp.zedz.net/pub/crypto/crypto/HASH/sha/sha1.c + +Test Vectors (from FIPS PUB 180-1) +"abc" + A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D +"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 +A million repetitions of "a" + 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +*/ + + +extern struct obv_pw obv_pwent; + +void SHA1Transform(unsigned long state[5], unsigned char buffer[64]) +{ + unsigned long a, b, c, d, e; + typedef union { + unsigned char c[64]; + unsigned long l[16]; + } CHAR64LONG16; + CHAR64LONG16* block; +#ifdef SHA1HANDSOFF + static unsigned char workspace[64]; + block = (CHAR64LONG16*)workspace; + memcpy(block, buffer, 64); +#else + block = (CHAR64LONG16*)buffer; +#endif + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + /* Wipe variables */ + a = b = c = d = e = 0; +} + + +/* SHA1Init - Initialize new context */ + +void SHA1Init(struct SHA1_CTX* context) +{ + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; + context->count[0] = context->count[1] = 0; +} + + +/* Run your data through this. */ + +void SHA1Update(struct SHA1_CTX* context, unsigned char* data, unsigned int len) +{ + unsigned int i, j; + + j = (context->count[0] >> 3) & 63; + if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++; + context->count[1] += (len >> 29); + if ((j + len) > 63) { + memcpy(&context->buffer[j], data, (i = 64-j)); + SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) { + SHA1Transform(context->state, &data[i]); + } + j = 0; + } + else i = 0; + memcpy(&context->buffer[j], &data[i], len - i); +} + + +/* Add padding and return the message digest. */ + +void SHA1Final(unsigned char digest[20], struct SHA1_CTX* context) +{ + unsigned long i, j; + unsigned char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] + >> ((3-(i & 3)) * 8) ) & 255); + /* Endian independent */ + } + SHA1Update(context, (unsigned char *)"\200", 1); + while ((context->count[0] & 504) != 448) { + SHA1Update(context, (unsigned char *)"\0", 1); + } + SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + for (i = 0; i < 20; i++) { + digest[i] = (unsigned char) + ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); + } + /* Wipe variables */ + i = j = 0; + memset(context->buffer, 0, 64); + memset(context->state, 0, 20); + memset(context->count, 0, 8); + memset(&finalcount, 0, 8); +#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ + SHA1Transform(context->state, context->buffer); +#endif +} + +int obv_chkpw(struct obv_pw *entry) +{ + struct SHA1_CTX context; + char *pos = memscan(entry->pw,'\n',strlen(entry->pw)); + if(pos != entry->pw + strlen(entry->pw)) *pos = '\0'; + SHA1Init(&context); + SHA1Update(&context,entry->pw,strlen(entry->pw)); + SHA1Final(entry->sum,&context); + return memcmp(obv_pwent.sum,entry->sum,OBV_SHASUM_SIZE); +} diff -urN linux/kernel/obvqsort.c linux.grsec/kernel/obvqsort.c --- linux/kernel/obvqsort.c Thu Jan 1 01:00:00 1970 +++ linux.grsec/kernel/obvqsort.c Sun Sep 30 01:54:20 2001 @@ -0,0 +1,229 @@ +/* * * * * * * * * * * * * * * * * * * * * * * * * + * The following code is a slightly modified qsort found in glibc + * The best implementation for a non-recursive qsort around + * that I could find, and probably + * better than what I would have come up with=) + * * * * * * * * * * * * * * * * * * * * * * * * */ +#include +#include +#include + + + +/* Byte-wise swap two items of size SIZE. */ +#define SWAP(a, b, size) \ + do \ + { \ + register size_t __size = (size); \ + register char *__a = (a), *__b = (b); \ + do \ + { \ + char __tmp = *__a; \ + *__a++ = *__b; \ + *__b++ = __tmp; \ + } while (--__size > 0); \ + } while (0) + +/* Discontinue quicksort algorithm when partition gets below this size. + This particular magic number was chosen to work best on a Sun 4/260. */ +#define MAX_THRESH 4 + +/* Stack node declarations used to store unfulfilled partition obligations. */ +typedef struct + { + char *lo; + char *hi; + } stack_node; + +/* The next 4 #defines implement a very fast in-line stack abstraction. */ +#define STACK_SIZE (8 * sizeof(unsigned long int)) +#define PUSH(low, high) ((void) ((top->lo = (low)), (top->hi = (high)), ++top)) +#define POP(low, high) ((void) (--top, (low = top->lo), (high = top->hi))) +#define STACK_NOT_EMPTY (stack < top) + + +/* Order size using quicksort. This implementation incorporates + four optimizations discussed in Sedgewick: + + 1. Non-recursive, using an explicit stack of pointer that store the + next array partition to sort. To save time, this maximum amount + of space required to store an array of MAX_INT is allocated on the + stack. Assuming a 32-bit integer, this needs only 32 * + sizeof(stack_node) == 136 bits. Pretty cheap, actually. + + 2. Chose the pivot element using a median-of-three decision tree. + This reduces the probability of selecting a bad pivot value and + eliminates certain extraneous comparisons. + + 3. Only quicksorts TOTAL_ELEMS / MAX_THRESH partitions, leaving + insertion sort to order the MAX_THRESH items within each partition. + This is a big win, since insertion sort is faster for small, mostly + sorted array segments. + + 4. The larger of the two sub-partitions is always pushed onto the + stack first, with the algorithm then concentrating on the + smaller partition. This *guarantees* no more than log (n) + stack size is needed (actually O(1) in this case)! */ + + +void obv_qsort (void *pbase, size_t total_elems, size_t size, int (*cmp) (const void *, const void*)) +{ + register char *base_ptr = (char *) pbase; + + /* Allocating SIZE bytes for a pivot buffer facilitates a better + algorithm below since we can do comparisons directly on the pivot. */ + char *pivot_buffer = (char *) kmalloc(size,GFP_KERNEL); + const size_t max_thresh = MAX_THRESH * size; + + if (total_elems == 0) + /* Avoid lossage with unsigned arithmetic below. */ + return; + + if (total_elems > MAX_THRESH) + { + char *lo = base_ptr; + char *hi = &lo[size * (total_elems - 1)]; + /* Largest size needed for 32-bit int!!! */ + stack_node stack[STACK_SIZE]; + stack_node *top = stack + 1; + + while (STACK_NOT_EMPTY) + { + char *left_ptr; + char *right_ptr; + + char *pivot = pivot_buffer; + + /* Select median value from among LO, MID, and HI. Rearrange + LO and HI so the three values are sorted. This lowers the + probability of picking a pathological pivot value and + skips a comparison for both the LEFT_PTR and RIGHT_PTR. */ + + char *mid = lo + size * ((hi - lo) / size >> 1); + + if ((*cmp) ((void *) mid, (void *) lo) < 0) + SWAP (mid, lo, size); + if ((*cmp) ((void *) hi, (void *) mid) < 0) + SWAP (mid, hi, size); + else + goto jump_over; + if ((*cmp) ((void *) mid, (void *) lo) < 0) + SWAP (mid, lo, size); + jump_over:; + memcpy (pivot, mid, size); + pivot = pivot_buffer; + + left_ptr = lo + size; + right_ptr = hi - size; + + /* Here's the famous ``collapse the walls'' section of quicksort. + Gotta like those tight inner loops! They are the main reason + that this algorithm runs much faster than others. */ + do + { + while ((*cmp) ((void *) left_ptr, (void *) pivot) < 0) + left_ptr += size; + + while ((*cmp) ((void *) pivot, (void *) right_ptr) < 0) + right_ptr -= size; + + if (left_ptr < right_ptr) + { + SWAP (left_ptr, right_ptr, size); + left_ptr += size; + right_ptr -= size; + } + else if (left_ptr == right_ptr) + { + left_ptr += size; + right_ptr -= size; + break; + } + } + while (left_ptr <= right_ptr); + + /* Set up pointers for next iteration. First determine whether + left and right partitions are below the threshold size. If so, + ignore one or both. Otherwise, push the larger partition's + bounds on the stack and continue sorting the smaller one. */ + + if ((size_t) (right_ptr - lo) <= max_thresh) + { + if ((size_t) (hi - left_ptr) <= max_thresh) + /* Ignore both small partitions. */ + POP (lo, hi); + else + /* Ignore small left partition. */ + lo = left_ptr; + } + else if ((size_t) (hi - left_ptr) <= max_thresh) + /* Ignore small right partition. */ + hi = right_ptr; + else if ((right_ptr - lo) > (hi - left_ptr)) + { + /* Push larger left partition indices. */ + PUSH (lo, right_ptr); + lo = left_ptr; + } + else + { + /* Push larger right partition indices. */ + PUSH (left_ptr, hi); + hi = right_ptr; + } + } + } + kfree(pivot_buffer); + + /* Once the BASE_PTR array is partially sorted by quicksort the rest + is completely sorted using insertion sort, since this is efficient + for partitions below MAX_THRESH size. BASE_PTR points to the beginning + of the array to sort, and END_PTR points at the very last element in + the array (*not* one beyond it!). */ + + + { + char *const end_ptr = &base_ptr[size * (total_elems - 1)]; + char *tmp_ptr = base_ptr; + char *thresh = min(end_ptr, base_ptr + max_thresh); + register char *run_ptr; + + /* Find smallest element in first threshold and place it at the + array's beginning. This is the smallest array element, + and the operation speeds up insertion sort's inner loop. */ + + for (run_ptr = tmp_ptr + size; run_ptr <= thresh; run_ptr += size) + if ((*cmp) ((void *) run_ptr, (void *) tmp_ptr) < 0) + tmp_ptr = run_ptr; + + if (tmp_ptr != base_ptr) + SWAP (tmp_ptr, base_ptr, size); + + /* Insertion sort, running from left-hand-side up to right-hand-side. */ + + run_ptr = base_ptr + size; + while ((run_ptr += size) <= end_ptr) + { + tmp_ptr = run_ptr - size; + while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr) < 0) + tmp_ptr -= size; + + tmp_ptr += size; + if (tmp_ptr != run_ptr) + { + char *trav; + + trav = run_ptr + size; + while (--trav >= run_ptr) + { + char c = *trav; + char *hi, *lo; + + for (hi = lo = trav; (lo -= size) >= tmp_ptr; hi = lo) + *hi = *lo; + *hi = c; + } + } + } + } +} diff -urN linux/kernel/signal.c linux.grsec/kernel/signal.c --- linux/kernel/signal.c Thu Jan 4 05:45:26 2001 +++ linux.grsec/kernel/signal.c Sun Sep 30 01:54:20 2001 @@ -16,6 +16,21 @@ #include +#if defined(CONFIG_GRKERNSEC_SIGNAL)||defined(CONFIG_GRKERNSEC_CHROOT) +#include +#endif + +#ifdef CONFIG_OBV_PROC +#include +#include +#endif + + + +#ifdef CONFIG_GRKERNSEC_CHROOT +extern struct task_struct *child_reaper; +#endif + /* * SLAB caches for signal bits. */ @@ -518,7 +533,31 @@ ret = -EPERM; if (bad_signal(sig, info, t)) goto out_nolock; - +#ifdef CONFIG_GRKERNSEC_CHROOT + if( t->pid && current->pid && child_reaper && child_reaper->pid && current->fs && current->pid > 1 + && sig && grsec_enable_chroot && + !( sig == SIGALRM || sig == SIGIO || + ((current->fs->root->d_inode->i_dev == + child_reaper->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child_reaper->fs->root->d_inode->i_ino)) || + ((t->fs->root->d_inode->i_dev == + current->fs->root->d_inode->i_dev) && + (t->fs->root->d_inode->i_ino == + current->fs->root->d_inode->i_ino)) || + (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) { + security_alert("denied signal %d out of chroot() jail (%.32s:%lu) of %d.%d " + "by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d) " + "to (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)", + "denied signals in chroot()",sig,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid,current->comm,current->pid,current->uid, + current->euid,current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid,t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm, + t->p_pptr->pid,t->p_pptr->uid,t->p_pptr->euid); + goto out_nolock; + } +#endif /* The null signal is a permissions and process existance probe. No signal is actually delivered. Same goes for zombies. */ ret = 0; @@ -528,6 +567,25 @@ spin_lock_irqsave(&t->sigmask_lock, flags); handle_stop_signal(sig, t); +#ifdef CONFIG_GRKERNSEC_SIGNAL + if(grsec_enable_signal && ( + (sig == SIGSEGV) || (sig == SIGILL) || (sig == SIGABRT) || (sig == SIGBUS))) { + if(t->pid == current->pid) { + security_alert("signal %d sent to (%.16s:%d), UID (%d), EUID (%d), " + "parent (%.16s:%d), UID (%d), EUID (%d)","signal warnings",sig, + t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid, + t->p_pptr->uid,t->p_pptr->euid); + } else { + security_alert("signal %d sent to (%.16s:%d), UID (%d), EUID (%d), " + "parent (%.16s:%d), UID (%d), EUID (%d) by (%.16s:%d), UID (%d), EUID (%d), " + "parent (%.16s:%d), UID (%d), EUID (%d)","signal warnings", + sig,t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid, + t->p_pptr->uid,t->p_pptr->euid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); + } + } +#endif /* Optimize away the signal, if it's a signal that can be handled immediately (ie non-blocked and untraced) and that is ignored (either explicitly or by default). */ @@ -980,6 +1038,22 @@ sys_kill(int pid, int sig) { struct siginfo info; + +#ifdef CONFIG_OBV_PROC + struct task_struct *tsk = find_task_by_pid(pid); + if(tsk && tsk->obvacl) { + if( (obv_check_protected(tsk)) ) { + if(current->pid > 1) { +#ifdef CONFIG_OBV_DEBUG + obv_seclog("protected proc: returning EPERM, not init\n"); + /* Allow init to kill for shutdown purposes*/ +#endif + return -EPERM; + } + } + } +#endif + info.si_signo = sig; info.si_errno = 0; diff -urN linux/kernel/sys.c linux.grsec/kernel/sys.c --- linux/kernel/sys.c Fri Jul 20 05:34:31 2001 +++ linux.grsec/kernel/sys.c Sun Sep 30 01:54:20 2001 @@ -4,6 +4,7 @@ * Copyright (C) 1991, 1992 Linus Torvalds */ +#include #include #include #include @@ -18,6 +19,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_SUID +#include +#endif + /* * this is where the system-wide overflow UID and GID are defined, for * architectures that now have 32-bit UID/GID but didn't in the past @@ -378,6 +383,13 @@ int old_egid = current->egid; int new_rgid = old_rgid; int new_egid = old_egid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setregid(rgid=%d/egid=%d) by (%.16s:%d),UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",rgid,egid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif if (rgid != (gid_t) -1) { if ((old_rgid == rgid) || @@ -419,6 +431,13 @@ asmlinkage long sys_setgid(gid_t gid) { int old_egid = current->egid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setgid(%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",gid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif if (capable(CAP_SETGID)) { @@ -538,6 +557,13 @@ new_ruid = old_ruid = current->uid; new_euid = old_euid = current->euid; old_suid = current->suid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setreuid(ruid=%d/euid=%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",ruid,euid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif if (ruid != (uid_t) -1) { new_ruid = ruid; @@ -598,7 +624,13 @@ old_ruid = new_ruid = current->uid; old_suid = current->suid; new_suid = old_suid; - +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setuid(%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",uid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif if (capable(CAP_SETUID)) { if (uid != old_ruid && set_user(uid, old_euid != uid) < 0) return -EAGAIN; @@ -631,6 +663,13 @@ int old_ruid = current->uid; int old_euid = current->euid; int old_suid = current->suid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setresuid(ruid=%d/suid=%d/euid=%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",ruid,suid,euid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif if (!capable(CAP_SETUID)) { if ((ruid != (uid_t) -1) && (ruid != current->uid) && @@ -682,6 +721,14 @@ */ asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) { +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setresgid(rgid=%d/sgid=%d/egid=%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",rgid,sgid,egid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif + if (!capable(CAP_SETGID)) { if ((rgid != (gid_t) -1) && (rgid != current->gid) && (rgid != current->egid) && (rgid != current->sgid)) @@ -730,6 +777,13 @@ asmlinkage long sys_setfsuid(uid_t uid) { int old_fsuid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setfsuid(%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",uid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif old_fsuid = current->fsuid; if (uid == current->uid || uid == current->euid || @@ -772,6 +826,13 @@ asmlinkage long sys_setfsgid(gid_t gid) { int old_fsgid; +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsecurity: setfsgid(%d) by (%.16s:%d), UID(%d), EUID(%d), parent (%.16s:%d), " + "UID(%d), EUID(%d)\n",gid,current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm,current->p_pptr->pid, + current->p_pptr->uid,current->p_pptr->euid); +#endif old_fsgid = current->fsgid; if (gid == current->gid || gid == current->egid || diff -urN linux/kernel/sysctl.c linux.grsec/kernel/sysctl.c --- linux/kernel/sysctl.c Sun Sep 30 01:30:58 2001 +++ linux.grsec/kernel/sysctl.c Sun Sep 30 01:54:20 2001 @@ -34,12 +34,20 @@ #include #include +#include + #include #ifdef CONFIG_ROOT_NFS #include #endif +#ifdef CONFIG_OBV_PROC +#include +#endif + + + #if defined(CONFIG_SYSCTL) /* External variables not in a header file. */ @@ -117,6 +125,9 @@ static ctl_table debug_table[]; static ctl_table dev_table[]; extern ctl_table random_table[]; +#ifdef CONFIG_GRKERNSEC_SYSCTL +static ctl_table grsecurity_table[]; +#endif /* /proc declarations: */ @@ -265,9 +276,317 @@ {KERN_KDB, "kdb", &kdb_on, sizeof(int), 0644, NULL, &proc_dointvec}, #endif /* CONFIG_KDB */ +#ifdef CONFIG_GRKERNSEC_SYSCTL + {KERN_GRSECURITY, "grsecurity", NULL, 0, 0550, grsecurity_table}, +#endif +#ifdef CONFIG_OBV_PROC + {KERN_OBV,"oblivion",NULL,sizeof(int),0600,NULL,&obv_proc_handler}, +#endif + {0} }; +#ifdef CONFIG_GRKERNSEC_LINK +int grsec_enable_link= -1; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO +int grsec_enable_fifo= -1; +#endif +#ifdef CONFIG_GRKERNSEC_FD +int grsec_enable_fd= -1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE +int grsec_enable_execve= -1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKBOMB +int grsec_enable_forkbomb= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_forkbomb_gid = -1; +int grsec_forkbomb_sec = -1; +int grsec_forkbomb_max = -1; +#else +int grsec_forkbomb_gid = CONFIG_GRKERNSEC_FORKBOMB_GID; +int grsec_forkbomb_sec = CONFIG_GRKERNSEC_FORKBOMB_SEC; +int grsec_forkbomb_max = CONFIG_GRKERNSEC_FORKBOMB_MAX; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG +int grsec_enable_execlog= -1; +#endif +#ifdef CONFIG_GRKERNSEC_SUID +int grsec_enable_suid= -1; +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL +int grsec_enable_signal= -1; +#endif +#ifdef CONFIG_GRKERNSEC_COREDUMP +int grsec_enable_coredump= -1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL +int grsec_enable_forkfail= -1; +#endif +#ifdef CONFIG_GRKERNSEC_TIME +int grsec_enable_time= -1; +#endif +#ifdef CONFIG_GRKERNSEC_KBMAP +int grsec_enable_kbmap= -1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDNET +int grsec_enable_randnet= -1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT +int grsec_enable_chroot= -1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG +int grsec_enable_chroot_execlog= -1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS +int grsec_enable_chroot_caps= -1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE +int grsec_enable_tpe= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_tpe_gid= -1; +#else +int grsec_tpe_gid= CONFIG_GRKERNSEC_TPE_GID; +#endif +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC +int grsec_enable_tpe_glibc= -1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL +int grsec_enable_tpe_all= -1; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID +int grsec_enable_randpid= -1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +int grsec_enable_randid= -1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +int grsec_enable_randsrc= -1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING +int grsec_enable_randping= -1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL +int grsec_enable_randttl= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_randttl_thresh= -1; +#else +int grsec_randttl_thresh= CONFIG_GRKERNSEC_RANDTTL_THRESH; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL +int grsec_enable_socket_all= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_socket_all_gid= -1; +#else +int grsec_socket_all_gid= CONFIG_GRKERNSEC_ALL_GID; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT +int grsec_enable_socket_client= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_socket_client_gid= -1; +#else +int grsec_socket_client_gid= CONFIG_GRKERNSEC_CLIENT_GID; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER +int grsec_enable_socket_server= -1; +#ifdef CONFIG_GRKERNSEC_SYSCTL +int grsec_socket_server_gid= -1; +#else +int grsec_socket_server_gid= CONFIG_GRKERNSEC_SERVER_GID; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_RST +int grsec_enable_stealth_rst= -1; +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_UDP +int grsec_enable_stealth_udp= -1; +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP +int grsec_enable_stealth_icmp= -1; +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP +int grsec_enable_stealth_igmp= -1; +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS +int grsec_enable_stealth_flags= -1; +#endif + +#ifdef CONFIG_GRKERNSEC_SYSCTL +enum {GS_LINK=1,GS_FIFO, GS_FD, GS_EXECVE, GS_FORK, +GS_FORK_GID, GS_FORK_SEC, GS_FORK_MAX, GS_EXECLOG, GS_SUID, +GS_SIGNAL, GS_COREDUMP, GS_FORKFAIL, GS_TIME, GS_KBMAP, GS_RANDNET, +GS_CHROOT, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, GS_TPE, GS_TPE_GID, +GS_TPE_GLIBC, GS_TPE_ALL, GS_SIDCAPS, GS_RANDPID, GS_RANDID, GS_RANDSRC, +GS_RANDPING, GS_RANDTTL, GS_RANDTTL_THRESH, GS_SOCKET_ALL, +GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, GS_SOCKET_CLIENT_GID, +GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_STEALTH_RST, +GS_STEALTH_UDP, GS_STEALTH_ICMP, GS_STEALTH_IGMP, GS_STEALTH_FLAGS}; + +static ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_LINK + {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + {GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FD + {GS_FD, "secure_fds", &grsec_enable_fd, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + {GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FORKBOMB + {GS_FORK, "fork_bomb_prot", &grsec_enable_forkbomb, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_FORK_GID, "fork_bomb_gid", &grsec_forkbomb_gid, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_FORK_SEC, "fork_bomb_sec", &grsec_forkbomb_sec, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_FORK_MAX, "fork_bomb_max", &grsec_forkbomb_max, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG + {GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SUID + {GS_SUID, "suid_logging", &grsec_enable_suid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL + {GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_COREDUMP + {GS_COREDUMP, "coredump", &grsec_enable_coredump, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL + {GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TIME + {GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_KBMAP + {GS_KBMAP, "secure_kbmap", &grsec_enable_kbmap, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDNET + {GS_RANDNET, "rand_net", &grsec_enable_randnet, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT + {GS_CHROOT, "chroot_restrictions", &grsec_enable_chroot, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + {GS_CHROOT_EXECLOG, "chroot_execlog", + &grsec_enable_chroot_execlog, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE + {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC + {GS_TPE_GLIBC, "tpe_glibc", &grsec_enable_tpe_glibc, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL + {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID + {GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDID + {GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC + {GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING + {GS_RANDPING, "altered_pings", &grsec_enable_randping, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL + {GS_RANDTTL, "rand_ttl", &grsec_enable_randttl, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_RANDTTL_THRESH, "rand_ttl_thresh", + &grsec_randttl_thresh, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_SOCKET_ALL_GID, "socket_all_gid", + &grsec_socket_all_gid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + {GS_SOCKET_CLIENT, "socket_client", + &grsec_enable_socket_client, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_SOCKET_CLIENT_GID, "socket_client_gid", + &grsec_socket_client_gid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + {GS_SOCKET_SERVER, "socket_server", + &grsec_enable_socket_server, sizeof (int), + 0640, NULL, &proc_dointvec}, + {GS_SOCKET_SERVER_GID, "socket_server_gid", + &grsec_socket_server_gid, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_RST + {GS_STEALTH_RST, "stealth_rst", &grsec_enable_stealth_rst, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_UDP + {GS_STEALTH_UDP, "stealth_udp", &grsec_enable_stealth_udp, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP + {GS_STEALTH_ICMP, "stealth_icmp", + &grsec_enable_stealth_icmp, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP + {GS_STEALTH_IGMP, "stealth_igmp", + &grsec_enable_stealth_igmp, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS + {GS_STEALTH_FLAGS, "stealth_flags", + &grsec_enable_stealth_flags, sizeof (int), + 0640, NULL, &proc_dointvec}, +#endif + {0} +}; +#endif + static ctl_table vm_table[] = { {VM_FREEPG, "freepages", &freepages, sizeof(freepages_t), 0444, NULL, &proc_dointvec}, @@ -363,6 +682,7 @@ if (!oldlenp || get_user(old_len, oldlenp)) return -EFAULT; } + tmp = &root_table_header.ctl_entry; do { struct ctl_table_header *head = @@ -373,6 +693,7 @@ &context); if (context) kfree(context); + if (error != -ENOTDIR) return error; tmp = tmp->next; @@ -843,7 +1164,7 @@ #define TMPBUFLEN 20 char buf[TMPBUFLEN], *p; - + if (!table->data || !table->maxlen || !*lenp || (filp->f_pos && !write)) { *lenp = 0; @@ -851,6 +1172,22 @@ } i = (int *) table->data; +#ifdef CONFIG_GRKERNSEC_SYSCTL + if(table->de->parent->name && + (strlen(table->de->parent->name) == 10)) { + if((!strcmp(table->de->parent->name,"grsecurity")) && + (write) && (*i != -1)){ + security_alert("attempt to modify grsecurity " + "sysctl values by (%.16s:%d), UID (%d), EUID (%d), " + "parent (%.16s:%d), UID (%d), EUID (%d)", + "attempted sysctl changes",current->comm,current->pid, + current->uid,current->euid,current->p_pptr->comm, + current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + return -EACCES; + } + } +#endif vleft = table->maxlen / sizeof(int); left = *lenp; diff -urN linux/kernel/time.c linux.grsec/kernel/time.c --- linux/kernel/time.c Mon Oct 16 21:58:51 2000 +++ linux.grsec/kernel/time.c Sun Sep 30 01:54:20 2001 @@ -29,6 +29,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_TIME +#include +#endif /* * The timezone where the local system is located. Used as a default by some @@ -105,6 +108,13 @@ time_maxerror = NTP_PHASE_LIMIT; time_esterror = NTP_PHASE_LIMIT; write_unlock_irq(&xtime_lock); +#ifdef CONFIG_GRKERNSEC_TIME + if(grsec_enable_time) + security_alert("time set by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)", + "time sets", current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); +#endif return 0; } @@ -181,6 +191,13 @@ * globally block out interrupts when it runs. */ do_settimeofday(tv); +#ifdef CONFIG_GRKERNSEC_TIME + if(grsec_enable_time) + security_alert("time set by (%.16s:%d), UID (%d), EUID (%d), parent (%.16s:%d), UID (%d), EUID (%d)", + "time sets", current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); +#endif } return 0; } diff -urN linux/mm/mmap.c linux.grsec/mm/mmap.c --- linux/mm/mmap.c Tue Jul 3 21:14:15 2001 +++ linux.grsec/mm/mmap.c Sun Sep 30 02:05:24 2001 @@ -13,10 +13,15 @@ #include #include #include +#include #include #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif + /* description of effects of mapping type and prot in current implementation. * this is due to the limited x86 page protection hardware. The expected * behavior is in parens: @@ -243,6 +248,24 @@ */ vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_GRKERNSEC_PAX + if (current->flags & PF_PAX_PAGEEXEC) { + if (flags & MAP_GROWSDOWN) + vm_flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if ((current->flags & PF_PAX_MPROTECT) && !(prot & PROT_EXEC)) + vm_flags &= ~VM_MAYEXEC; + if ((current->flags & PF_PAX_MPROTECT) && (flags & MAP_GROWSDOWN)) + vm_flags &= ~VM_MAYEXEC; +#endif + + } else { + if (prot & (PROT_READ | PROT_WRITE)) /* they imply PROT_EXEC on IA-32 */ + vm_flags |= VM_EXEC; + } +#endif + /* mlock MCL_FUTURE? */ if (vm_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; @@ -406,9 +429,20 @@ if (len > TASK_SIZE) return -ENOMEM; if (!addr) +#ifdef CONFIG_GRKERNSEC_STACK + addr = TASK_UNMAPPED_BASE(len); +#else addr = TASK_UNMAPPED_BASE; +#endif addr = PAGE_ALIGN(addr); + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address if requested */ + if (current->flags & PF_PAX_RANDMMAP) { + addr += current->mm->delta_mmap; + } +#endif for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ if (TASK_SIZE - len < addr) @@ -859,6 +893,17 @@ flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_GRKERNSEC_PAX + if (current->flags & PF_PAX_PAGEEXEC) { + flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (current->flags & PF_PAX_MPROTECT) + flags &= ~VM_MAYEXEC; +#endif + } +#endif + /* Can we just expand an old anonymous mapping? */ if (addr) { struct vm_area_struct * vma = find_vma(mm, addr-1); diff -urN linux/mm/mprotect.c linux.grsec/mm/mprotect.c --- linux/mm/mprotect.c Mon Mar 19 21:35:08 2001 +++ linux.grsec/mm/mprotect.c Sun Sep 30 02:06:18 2001 @@ -261,6 +261,12 @@ break; } +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */ + if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYEXEC)) { + newflags &= ~VM_MAYWRITE; + } +#endif if (vma->vm_end >= end) { error = mprotect_fixup(vma, nstart, end, newflags); break; diff -urN linux/net/core/dev.c linux.grsec/net/core/dev.c --- linux/net/core/dev.c Mon Jul 16 01:29:40 2001 +++ linux.grsec/net/core/dev.c Sun Sep 30 01:54:20 2001 @@ -2751,7 +2751,23 @@ dp = &dev->next; } } - +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP +#ifdef CONFIG_PROC_FS + proc_net_create("dev", S_IRUSR|S_IRGRP, dev_get_info); + create_proc_read_entry("net/softnet_stat", S_IRUSR|S_IRGRP, 0, dev_proc_stats, NULL); +#ifdef WIRELESS_EXT + proc_net_create("wireless", S_IRUSR|S_IRGRP, dev_get_wireless_info); +#endif /* WIRELESS_EXT */ +#endif /* CONFIG_PROC_FS */ +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_PROC_FS + proc_net_create("dev", S_IRUSR, dev_get_info); + create_proc_read_entry("net/softnet_stat", S_IRUSR, 0, dev_proc_stats, NULL); +#ifdef WIRELESS_EXT + proc_net_create("wireless", S_IRUSR, dev_get_wireless_info); +#endif /* WIRELESS_EXT */ +#endif /* CONFIG_PROC_FS */ +#else #ifdef CONFIG_PROC_FS proc_net_create("dev", 0, dev_get_info); create_proc_read_entry("net/softnet_stat", 0, 0, dev_proc_stats, NULL); @@ -2759,7 +2775,7 @@ proc_net_create("wireless", 0, dev_get_wireless_info); #endif /* WIRELESS_EXT */ #endif /* CONFIG_PROC_FS */ - +#endif dev_boot_phase = 0; open_softirq(NET_TX_SOFTIRQ, net_tx_action, NULL); diff -urN linux/net/core/utils.c linux.grsec/net/core/utils.c --- linux/net/core/utils.c Mon Aug 23 19:01:02 1999 +++ linux.grsec/net/core/utils.c Sun Sep 30 01:54:20 2001 @@ -23,16 +23,50 @@ static unsigned long net_rand_seed = 152L; +#ifdef CONFIG_GRKERNSEC_RANDNET +#include +#include + +#define RNG_N_STORED_WORDS 256 +unsigned long rng_storage[RNG_N_STORED_WORDS]; +int nleft=0; +#endif + unsigned long net_random(void) { +#ifdef CONFIG_GRKERNSEC_RANDNET + if (grsec_enable_randnet) { + if (!nleft) + { + get_random_bytes(rng_storage,sizeof(rng_storage)); + nleft=RNG_N_STORED_WORDS; + } + + nleft--; + return rng_storage[nleft]; + } else { + net_rand_seed=net_rand_seed*69069L+1; + return net_rand_seed^jiffies; + } +#else net_rand_seed=net_rand_seed*69069L+1; return net_rand_seed^jiffies; +#endif } void net_srandom(unsigned long entropy) { +#ifdef CONFIG_GRKERNSEC_RANDNET + if(grsec_enable_randnet) + add_mouse_randomness((__u32)entropy); + else { net_rand_seed ^= entropy; net_random(); + } +#else + net_rand_seed ^= entropy; + net_random(); +#endif } int net_msg_cost = 5*HZ; @@ -71,3 +105,4 @@ spin_unlock_irqrestore(&ratelimit_lock, flags); return 0; } + diff -urN linux/net/ipv4/af_inet.c linux.grsec/net/ipv4/af_inet.c --- linux/net/ipv4/af_inet.c Sun Sep 30 01:30:52 2001 +++ linux.grsec/net/ipv4/af_inet.c Sun Sep 30 01:54:20 2001 @@ -83,6 +83,10 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_RANDTTL) || defined(CONFIG_GRKERNSEC_RANDID) +#include +#include +#endif #include #include @@ -320,6 +324,10 @@ struct list_head *p; struct inet_protosw *answer; +#ifdef CONFIG_GRKERNSEC_RANDTTL + unsigned long randttl; +#endif + sock->state = SS_UNCONNECTED; sk = sk_alloc(PF_INET, GFP_KERNEL, 1); if (sk == NULL) @@ -372,7 +380,14 @@ else sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT; +#ifdef CONFIG_GRKERNSEC_RANDID +if(grsec_enable_randid) +get_random_bytes(&sk->protinfo.af_inet.id,(sizeof(sk->protinfo.af_inet.id) / 2)); +else sk->protinfo.af_inet.id = 0; +#else + sk->protinfo.af_inet.id = 0; +#endif sock_init_data(sock,sk); @@ -384,7 +399,16 @@ sk->backlog_rcv = sk->prot->backlog_rcv; - sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl; +#ifdef CONFIG_GRKERNSEC_RANDTTL +if(grsec_enable_randttl){ + get_random_bytes(&randttl,sizeof(randttl)); + sk->protinfo.af_inet.ttl = grsec_randttl_thresh + + (randttl % (256 - grsec_randttl_thresh)); +} else + sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl; +#else + sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl; +#endif sk->protinfo.af_inet.mc_loop = 1; sk->protinfo.af_inet.mc_ttl = 1; @@ -1185,6 +1209,25 @@ /* * Create all the /proc entries. */ +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP +#ifdef CONFIG_PROC_FS + proc_net_create ("raw", S_IRUSR|S_IRGRP, raw_get_info); + proc_net_create ("netstat", S_IRUSR|S_IRGRP, netstat_get_info); + proc_net_create ("snmp", S_IRUSR|S_IRGRP, snmp_get_info); + proc_net_create ("sockstat", S_IRUSR|S_IRGRP, afinet_get_info); + proc_net_create ("tcp", S_IRUSR|S_IRGRP, tcp_get_info); + proc_net_create ("udp", S_IRUSR|S_IRGRP, udp_get_info); +#endif +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_PROC_FS + proc_net_create ("raw", S_IRUSR, raw_get_info); + proc_net_create ("netstat", S_IRUSR, netstat_get_info); + proc_net_create ("snmp", S_IRUSR, snmp_get_info); + proc_net_create ("sockstat", S_IRUSR, afinet_get_info); + proc_net_create ("tcp", S_IRUSR, tcp_get_info); + proc_net_create ("udp", S_IRUSR, udp_get_info); +#endif +#else #ifdef CONFIG_PROC_FS proc_net_create ("raw", 0, raw_get_info); proc_net_create ("netstat", 0, netstat_get_info); @@ -1192,6 +1235,7 @@ proc_net_create ("sockstat", 0, afinet_get_info); proc_net_create ("tcp", 0, tcp_get_info); proc_net_create ("udp", 0, udp_get_info); +#endif #endif /* CONFIG_PROC_FS */ return 0; } diff -urN linux/net/ipv4/arp.c linux.grsec/net/ipv4/arp.c --- linux/net/ipv4/arp.c Wed May 16 19:21:45 2001 +++ linux.grsec/net/ipv4/arp.c Sun Sep 30 01:54:20 2001 @@ -1196,8 +1196,13 @@ neigh_table_init(&arp_tbl); dev_add_pack(&arp_packet_type); - +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + proc_net_create ("arp", S_IRUSR|S_IRGRP, arp_get_info); +#elif CONFIG_GRKERNSEC_PROC_USER + proc_net_create ("arp", S_IRUSR, arp_get_info); +#else proc_net_create ("arp", 0, arp_get_info); +#endif #ifdef CONFIG_SYSCTL neigh_sysctl_register(NULL, &arp_tbl.parms, NET_IPV4, NET_IPV4_NEIGH, "ipv4"); diff -urN linux/net/ipv4/fib_frontend.c linux.grsec/net/ipv4/fib_frontend.c --- linux/net/ipv4/fib_frontend.c Tue Jun 12 04:15:27 2001 +++ linux.grsec/net/ipv4/fib_frontend.c Sun Sep 30 01:54:20 2001 @@ -642,9 +642,19 @@ void __init ip_fib_init(void) { +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP +#ifdef CONFIG_PROC_FS + proc_net_create("route",S_IRUSR|S_IRGRP,fib_get_procinfo); +#endif /* CONFIG_PROC_FS */ +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_PROC_FS + proc_net_create("route",S_IRUSR,fib_get_procinfo); +#endif /* CONFIG_PROC_FS */ +#else #ifdef CONFIG_PROC_FS proc_net_create("route",0,fib_get_procinfo); #endif /* CONFIG_PROC_FS */ +#endif #ifndef CONFIG_IP_MULTIPLE_TABLES local_table = fib_hash_init(RT_TABLE_LOCAL); diff -urN linux/net/ipv4/icmp.c linux.grsec/net/ipv4/icmp.c --- linux/net/ipv4/icmp.c Thu Jun 21 06:00:55 2001 +++ linux.grsec/net/ipv4/icmp.c Sun Sep 30 01:54:20 2001 @@ -87,6 +87,14 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDPING +#include +#endif + +#if defined(CONFIG_GRKERNSEC_RANDPING)||\ + defined(CONFIG_GRKERNSEC_STEALTH_ICMP) +#include +#endif #define min(a,b) ((a)<(b)?(a):(b)) @@ -364,7 +372,6 @@ icmp_xmit_unlock_bh(); } - /* * Send an ICMP message in response to a situation * @@ -728,10 +735,18 @@ icmp_param.data.icmph=*skb->h.icmph; icmp_param.data.icmph.type=ICMP_ECHOREPLY; +#ifdef CONFIG_GRKERNSEC_RANDPING + if(grsec_enable_randping) + icmp_param.data.icmph.un.echo.id = + skb->h.icmph->un.echo.id; +#endif icmp_param.skb=skb; icmp_param.offset=0; icmp_param.data_len=skb->len; icmp_param.head_len=sizeof(struct icmphdr); +#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP + if (!grsec_enable_stealth_icmp) +#endif icmp_reply(&icmp_param, skb); } } @@ -773,6 +788,9 @@ icmp_param.offset=0; icmp_param.data_len=0; icmp_param.head_len=sizeof(struct icmphdr)+12; +#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP + if(!grsec_enable_stealth_icmp) +#endif icmp_reply(&icmp_param, skb); } diff -urN linux/net/ipv4/igmp.c linux.grsec/net/ipv4/igmp.c --- linux/net/ipv4/igmp.c Thu Apr 12 21:11:39 2001 +++ linux.grsec/net/ipv4/igmp.c Sun Sep 30 01:54:20 2001 @@ -98,6 +98,10 @@ #include #endif +#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP +#include +#endif + #define IP_MAX_MEMBERSHIPS 20 @@ -199,7 +203,10 @@ struct igmphdr *ih; struct rtable *rt; u32 dst; - +#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP + if(grsec_enable_stealth_igmp) + return(-1); +#endif /* According to IGMPv2 specs, LEAVE messages are * sent to all-routers group. */ diff -urN linux/net/ipv4/ip_gre.c linux.grsec/net/ipv4/ip_gre.c --- linux/net/ipv4/ip_gre.c Tue May 15 10:29:35 2001 +++ linux.grsec/net/ipv4/ip_gre.c Sun Sep 30 01:54:20 2001 @@ -28,6 +28,10 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDTTL +#include +#include +#endif #include #include @@ -846,6 +850,9 @@ iph->saddr = rt->rt_src; if ((iph->ttl = tiph->ttl) == 0) { +#ifdef CONFIG_GRKERNSEC_RANDTTL + unsigned long randttl; +#endif if (skb->protocol == __constant_htons(ETH_P_IP)) iph->ttl = old_iph->ttl; #ifdef CONFIG_IPV6 @@ -853,6 +860,13 @@ iph->ttl = ((struct ipv6hdr*)old_iph)->hop_limit; #endif else +#ifdef CONFIG_GRKERNSEC_RANDTTL + if(grsec_enable_randttl){ + get_random_bytes(&randttl,sizeof(randttl)); + iph->ttl = grsec_randttl_thresh + + (randttl % (256 - grsec_randttl_thresh)); + } else +#endif iph->ttl = sysctl_ip_default_ttl; } diff -urN linux/net/ipv4/ip_output.c linux.grsec/net/ipv4/ip_output.c --- linux/net/ipv4/ip_output.c Wed Jul 11 01:11:43 2001 +++ linux.grsec/net/ipv4/ip_output.c Sun Sep 30 01:54:20 2001 @@ -76,6 +76,10 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#include +#endif /* * Shall we try to damage output packets if routing dev changes? @@ -328,7 +332,9 @@ kfree_skb(skb); return -EMSGSIZE; } + ip_select_ident(iph, &rt->u.dst, sk); + if (skb->ip_summed == CHECKSUM_HW && (skb = skb_checksum_help(skb)) == NULL) return -ENOMEM; @@ -499,7 +505,13 @@ * Begin outputting the bytes. */ - id = sk->protinfo.af_inet.id++; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid){ + get_random_bytes(&id,(sizeof(id) / 2)); + sk->protinfo.af_inet.id = id; + } else +#endif + id = sk->protinfo.af_inet.id++; do { char *data; @@ -554,7 +566,7 @@ */ __ip_select_ident(iph, &rt->u.dst); id = iph->id; - } + } /* * Any further fragments will have MF set. @@ -994,7 +1006,17 @@ ip_rt_init(); inet_initpeers(); +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP +#ifdef CONFIG_IP_MULTICAST + proc_net_create("igmp", S_IRUSR|S_IRGRP, ip_mc_procinfo); +#endif +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_IP_MULTICAST + proc_net_create("igmp", S_IRUSR, ip_mc_procinfo); +#endif +#else #ifdef CONFIG_IP_MULTICAST proc_net_create("igmp", 0, ip_mc_procinfo); +#endif #endif } diff -urN linux/net/ipv4/ip_sockglue.c linux.grsec/net/ipv4/ip_sockglue.c --- linux/net/ipv4/ip_sockglue.c Thu Apr 12 21:11:39 2001 +++ linux.grsec/net/ipv4/ip_sockglue.c Sun Sep 30 01:54:20 2001 @@ -42,6 +42,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDTTL +#include +#include +#endif #define MAX(a,b) ((a)>(b)?(a):(b)) @@ -383,7 +387,9 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int optlen) { int val=0,err; - +#ifdef CONFIG_GRKERNSEC_RANDTTL + unsigned long randttl; +#endif if (level != SOL_IP) return -ENOPROTOOPT; @@ -500,8 +506,16 @@ case IP_TTL: if (optlen<1) goto e_inval; - if(val==-1) + if(val==-1){ +#ifdef CONFIG_GRKERNSEC_RANDTTL + if(grsec_enable_randttl){ + get_random_bytes(&randttl,sizeof(randttl)); + val = grsec_randttl_thresh + + (randttl % (256 - grsec_randttl_thresh)); + } else +#endif val = sysctl_ip_default_ttl; + } if(val<1||val>255) goto e_inval; sk->protinfo.af_inet.ttl=val; diff -urN linux/net/ipv4/ipmr.c linux.grsec/net/ipv4/ipmr.c --- linux/net/ipv4/ipmr.c Sat Jun 30 04:38:26 2001 +++ linux.grsec/net/ipv4/ipmr.c Sun Sep 30 01:54:20 2001 @@ -1761,8 +1761,20 @@ init_timer(&ipmr_expire_timer); ipmr_expire_timer.function=ipmr_expire_process; register_netdevice_notifier(&ip_mr_notifier); +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP +#ifdef CONFIG_PROC_FS + proc_net_create("ip_mr_vif",S_IRUSR|S_IRGRP,ipmr_vif_info); + proc_net_create("ip_mr_cache",S_IRUSR|S_IRGRP,ipmr_mfc_info); +#endif +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_PROC_FS + proc_net_create("ip_mr_vif",S_IRUSR,ipmr_vif_info); + proc_net_create("ip_mr_cache",S_IRUSR,ipmr_mfc_info); +#endif +#else #ifdef CONFIG_PROC_FS proc_net_create("ip_mr_vif",0,ipmr_vif_info); proc_net_create("ip_mr_cache",0,ipmr_mfc_info); #endif +#endif } diff -urN linux/net/ipv4/route.c linux.grsec/net/ipv4/route.c --- linux/net/ipv4/route.c Fri Jul 20 03:11:13 2001 +++ linux.grsec/net/ipv4/route.c Sun Sep 30 01:54:20 2001 @@ -2525,9 +2525,31 @@ ip_rt_gc_interval; add_timer(&rt_periodic_timer); - proc_net_create ("rt_cache", 0, rt_cache_get_info); +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + proc_net_create ("rt_cache", S_IRUSR|S_IRGRP, rt_cache_get_info); +#elif CONFIG_GRKERNSEC_PROC_USER + proc_net_create ("rt_cache", S_IRUSR, rt_cache_get_info); +#else + proc_net_create ("rt_cache", 0, rt_cache_get_info); +#endif +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + proc_net_create ("rt_cache_stat", S_IRUSR|S_IRGRP, rt_cache_stat_get_info); +#elif CONFIG_GRKERNSEC_PROC_USER + proc_net_create ("rt_cache_stat", S_IRUSR, rt_cache_stat_get_info); +#else proc_net_create ("rt_cache_stat", 0, rt_cache_stat_get_info); +#endif +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP #ifdef CONFIG_NET_CLS_ROUTE - create_proc_read_entry("net/rt_acct", 0, 0, ip_rt_acct_read, NULL); + create_proc_read_entry("net/rt_acct", S_IRUSR|S_IRGRP, 0, ip_rt_acct_read, NULL); +#endif +#elif CONFIG_GRKERNSEC_PROC_USER +#ifdef CONFIG_NET_CLS_ROUTE + create_proc_read_entry("net/rt_acct", S_IRUSR, 0, ip_rt_acct_read, NULL); +#endif +#else +#ifdef CONFIG_NET_CLS_ROUTE + create_proc_read_entry("net/rt_acct", 0, 0, ip_rt_acct_read, NULL); +#endif #endif } diff -urN linux/net/ipv4/tcp_ipv4.c linux.grsec/net/ipv4/tcp_ipv4.c --- linux/net/ipv4/tcp_ipv4.c Wed Apr 25 23:57:39 2001 +++ linux.grsec/net/ipv4/tcp_ipv4.c Sun Sep 30 01:54:21 2001 @@ -63,6 +63,13 @@ #include #include +#if defined(CONFIG_GRKERNSEC_RANDID)||defined(CONFIG_GRKERNSEC_RANDSRC)||\ + defined(CONFIG_GRKERNSEC_STEALTH_RST)||\ + defined(CONFIG_GRKERNSEC_STEALTH_FLAGS) +#include +#endif + + extern int sysctl_ip_dynaddr; /* Check TCP sequence numbers in ICMP packets. */ @@ -177,12 +184,37 @@ int high = sysctl_local_port_range[1]; int remaining = (high - low) + 1; int rover; +#ifdef CONFIG_GRKERNSEC_RANDSRC + unsigned long longrover; + int count = 0; +#endif spin_lock(&tcp_portalloc_lock); rover = tcp_port_rover; +#ifdef CONFIG_GRKERNSEC_RANDSRC + do { + if(grsec_enable_randsrc){ + if(count < 64){ + get_random_bytes(&longrover,sizeof(longrover)); + rover=low+(longrover % (high - low)); + } else if(count == 64) + rover = tcp_port_rover; + else if(count > 64){ + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } + count++; + } else { + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } +#else do { rover++; if ((rover < low) || (rover > high)) rover = low; +#endif head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); for (tb = head->chain; tb; tb = tb->next) @@ -192,7 +224,9 @@ next: spin_unlock(&head->lock); } while (--remaining > 0); + tcp_port_rover = rover; + spin_unlock(&tcp_portalloc_lock); /* Exhausted local port range during search? */ @@ -718,6 +752,11 @@ tp->ext_header_len = 0; if (sk->protinfo.af_inet.opt) tp->ext_header_len = sk->protinfo.af_inet.opt->optlen; +#ifdef CONFIG_GRKERNSEC_RANDID +if(grsec_enable_randid) + get_random_bytes(&sk->protinfo.af_inet.id,(sizeof(sk->protinfo.af_inet.id) / 2)); +else +#endif sk->protinfo.af_inet.id = tp->write_seq^jiffies; tp->mss_clamp = 536; @@ -1031,7 +1070,10 @@ struct tcphdr *th = skb->h.th; struct tcphdr rth; struct ip_reply_arg arg; - +#ifdef CONFIG_GRKERNSEC_STEALTH_RST + if(grsec_enable_stealth_rst) + return; +#endif /* Never send a reset in response to a reset. */ if (th->rst) return; @@ -1444,6 +1486,11 @@ newtp->ext_header_len = 0; if (newsk->protinfo.af_inet.opt) newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + get_random_bytes(&newsk->protinfo.af_inet.id,(sizeof(newsk->protinfo.af_inet.id) / 2)); + else +#endif newsk->protinfo.af_inet.id = newtp->write_seq^jiffies; tcp_sync_mss(newsk, dst->pmtu); @@ -1608,6 +1655,18 @@ if (th->doff < sizeof(struct tcphdr)/4) goto bad_packet; +#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS +if(grsec_enable_stealth_flags){ + if(th->fin && th->syn) + goto discard_it; + + if(!(th->ack || th->syn || th->rst) || th->res1) + goto discard_it; + + if(th->fin && th->psh && th->urg) + goto discard_it; +} +#endif if (!pskb_may_pull(skb, th->doff*4)) goto discard_it; diff -urN linux/net/ipv4/udp.c linux.grsec/net/ipv4/udp.c --- linux/net/ipv4/udp.c Thu Apr 12 21:11:39 2001 +++ linux.grsec/net/ipv4/udp.c Sun Sep 30 01:54:21 2001 @@ -93,7 +93,12 @@ #include #include #include - +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#endif +#if defined(CONFIG_GRKERNSEC_RANDID) || defined(CONFIG_GRKERNSEC_STEALTH_UDP) +#include +#endif /* * Snmp MIB for the UDP layer */ @@ -738,6 +743,12 @@ sk->daddr = rt->rt_dst; sk->dport = usin->sin_port; sk->state = TCP_ESTABLISHED; + +#ifdef CONFIG_GRKERNSEC_RANDID +if(grsec_enable_randid) + get_random_bytes(&sk->protinfo.af_inet.id,(sizeof(sk->protinfo.af_inet.id) / 2)); +else +#endif sk->protinfo.af_inet.id = jiffies; sk_dst_set(sk, &rt->u.dst); @@ -909,12 +920,14 @@ sock_put(sk); return 0; } - /* No socket. Drop packet silently, if checksum is wrong */ if (udp_checksum_complete(skb)) goto csum_error; UDP_INC_STATS_BH(UdpNoPorts); +#ifdef CONFIG_GRKERNSEC_STEALTH_UDP + if(!grsec_enable_stealth_udp) +#endif icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* diff -urN linux/net/socket.c linux.grsec/net/socket.c --- linux/net/socket.c Fri Jul 20 03:11:13 2001 +++ linux.grsec/net/socket.c Sun Sep 30 01:54:21 2001 @@ -87,6 +87,13 @@ #include #include +#if defined(CONFIG_GRKERNSEC_SOCKET_ALL)||\ + defined(CONFIG_GRKERNSEC_SOCKET_CLIENT)||\ + defined(CONFIG_GRKERNSEC_SOCKET_SERVER) +#include +#endif + + static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static loff_t sock_lseek(struct file *file, loff_t offset, int whence); static ssize_t sock_read(struct file *file, char *buf, @@ -914,7 +921,18 @@ { int retval; struct socket *sock; - +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if(grsec_enable_socket_all && + (in_group_p(grsec_socket_all_gid)) && (family != AF_UNIX) && (family != AF_LOCAL)){ + security_alert("attempted socket(%d,%d,%d) by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), " + "EUID(%d)","attempted sockets",family,type,protocol, + current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + return -EACCES; + } +#endif retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; @@ -1011,7 +1029,18 @@ struct socket *sock; char address[MAX_SOCK_ADDR]; int err; - +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if(grsec_enable_socket_server && + (in_group_p(grsec_socket_server_gid)) && (umyaddr->sa_family != AF_UNIX) && (umyaddr->sa_family != AF_LOCAL)){ + security_alert("attempted bind() by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), " + "EUID(%d)","attempted binds", + current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + return -EACCES; + } +#endif if((sock = sockfd_lookup(fd,&err))!=NULL) { if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) @@ -1119,10 +1148,21 @@ struct socket *sock; char address[MAX_SOCK_ADDR]; int err; - sock = sockfd_lookup(fd, &err); if (!sock) goto out; +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + if(grsec_enable_socket_client && + (in_group_p(grsec_socket_client_gid)) && (uservaddr->sa_family != AF_UNIX) && (uservaddr->sa_family != AF_LOCAL)){ + security_alert("attempted connect() to fd %d by (%.16s:%d), " + "UID(%d), EUID(%d), parent (%.16s:%d), UID(%d), " + "EUID(%d)","attempted connects",fd, + current->comm,current->pid,current->uid,current->euid, + current->p_pptr->comm,current->p_pptr->pid,current->p_pptr->uid, + current->p_pptr->euid); + return -ENETUNREACH; + } +#endif err = move_addr_to_kernel(uservaddr, addrlen, address); if (err < 0) goto out_put;