SOURCES: linux-2.6-grsec-minimal.patch (NEW) - minimal, basic feat...
baggins
baggins at pld-linux.org
Tue Aug 30 18:21:59 CEST 2005
Author: baggins Date: Tue Aug 30 16:21:59 2005 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- minimal, basic feature set (/proc, link and fifo restrictions)
---- Files affected:
SOURCES:
linux-2.6-grsec-minimal.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u /dev/null SOURCES/linux-2.6-grsec-minimal.patch:1.1
--- /dev/null Tue Aug 30 18:21:59 2005
+++ SOURCES/linux-2.6-grsec-minimal.patch Tue Aug 30 18:21:54 2005
@@ -0,0 +1,762 @@
+diff -urN linux-2.6.12.6/drivers/char/keyboard.c linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c
+--- linux-2.6.12.6/drivers/char/keyboard.c 2005-08-30 14:50:44.362019968 +0200
++++ linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c 2005-08-30 16:55:16.698334512 +0200
+@@ -608,6 +608,16 @@
+ kbd->kbdmode == VC_MEDIUMRAW) &&
+ value != KVAL(K_SAK))
+ return; /* SAK is allowed even in raw mode */
++
++#if defined(CONFIG_GRKERNSEC_PROC)
++ {
++ void *func = fn_handler[value];
++ if (func == fn_show_state || func == fn_show_ptregs ||
++ func == fn_show_mem)
++ return;
++ }
++#endif
++
+ fn_handler[value](vc, regs);
+ }
+
+diff -urN linux-2.6.12.6/drivers/pci/proc.c linux-2.6.12.6-gr-minimal/drivers/pci/proc.c
+--- linux-2.6.12.6/drivers/pci/proc.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/drivers/pci/proc.c 2005-08-30 16:55:16.748326912 +0200
+@@ -569,7 +569,15 @@
+
+ static void legacy_proc_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &proc_pci_operations;
+ }
+@@ -598,7 +606,15 @@
+ {
+ struct proc_dir_entry *entry;
+ struct pci_dev *dev = NULL;
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++#endif
++#else
+ proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
++#endif
+ entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
+ if (entry)
+ entry->proc_fops = &proc_bus_pci_dev_operations;
+diff -urN linux-2.6.12.6/fs/Kconfig linux-2.6.12.6-gr-minimal/fs/Kconfig
+--- linux-2.6.12.6/fs/Kconfig 2005-08-30 14:50:48.897330496 +0200
++++ linux-2.6.12.6-gr-minimal/fs/Kconfig 2005-08-30 16:55:16.787320984 +0200
+@@ -819,7 +819,7 @@
+
+ config PROC_KCORE
+ bool "/proc/kcore support" if !ARM
+- depends on PROC_FS && MMU
++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+
+ config SYSFS
+ bool "sysfs file system support" if EMBEDDED
+diff -urN linux-2.6.12.6/fs/namei.c linux-2.6.12.6-gr-minimal/fs/namei.c
+--- linux-2.6.12.6/fs/namei.c 2005-08-30 14:50:44.000074992 +0200
++++ linux-2.6.12.6-gr-minimal/fs/namei.c 2005-08-30 15:01:26.561724968 +0200
+@@ -541,6 +541,18 @@
+ err = security_inode_follow_link(path->dentry, nd);
+ if (err)
+ goto loop;
++
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (S_ISLNK(path->dentry->d_inode->i_mode) &&
++ (path->dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
++ (path->dentry->d_parent->d_inode->i_uid != path->dentry->d_inode->i_uid) &&
++ (path->dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
++ (current->fsuid != path->dentry->d_inode->i_uid)) {
++ err = -EACCES;
++ goto loop;
++ }
++#endif
++
+ current->link_count++;
+ current->total_link_count++;
+ nd->depth++;
+@@ -1487,6 +1499,16 @@
+ /*
+ * It already exists.
+ */
++#ifdef CONFIG_GRKERNSEC_FIFO
++ if (S_ISFIFO(path.dentry->d_inode->i_mode) &&
++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
++ (path.dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
++ (current->fsuid != path.dentry->d_inode->i_uid)) {
++ up(&dir->d_inode->i_sem);
++ error = -EACCES;
++ goto exit_dput;
++ }
++#endif
+ up(&dir->d_inode->i_sem);
+
+ error = -EEXIST;
+@@ -1544,6 +1566,18 @@
+ error = security_inode_follow_link(path.dentry, nd);
+ if (error)
+ goto exit_dput;
++
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (S_ISLNK(path.dentry->d_inode->i_mode) &&
++ (path.dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
++ (path.dentry->d_parent->d_inode->i_uid != path.dentry->d_inode->i_uid) &&
++ (path.dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
++ (current->fsuid != path.dentry->d_inode->i_uid)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
++#endif
++
+ error = __do_follow_link(&path, nd);
+ if (error)
+ return error;
+@@ -2046,7 +2080,20 @@
+ new_dentry = lookup_create(&nd, 0);
+ error = PTR_ERR(new_dentry);
+ if (!IS_ERR(new_dentry)) {
+- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++#ifdef CONFIG_GRKERNSEC_LINK
++ error = 0;
++ if (current->fsuid != old_nd.dentry->d_inode->i_uid &&
++ (!S_ISREG(old_nd.dentry->d_inode->i_mode) ||
++ (old_nd.dentry->d_inode->i_mode & S_ISUID) ||
++ ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
++ (generic_permission(old_nd.dentry->d_inode, MAY_READ | MAY_WRITE, NULL))) &&
++ !capable(CAP_FOWNER) && current->uid) {
++ error = -EPERM;
++ }
++ if (!error)
++#endif
++ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++
+ dput(new_dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+diff -urN linux-2.6.12.6/fs/proc/array.c linux-2.6.12.6-gr-minimal/fs/proc/array.c
+--- linux-2.6.12.6/fs/proc/array.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/array.c 2005-08-30 16:55:16.799319160 +0200
+@@ -482,3 +482,14 @@
+ return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+ size, resident, shared, text, lib, data, 0);
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++{
++ int len;
++
++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
++ return len;
++}
++#endif
++
+diff -urN linux-2.6.12.6/fs/proc/base.c linux-2.6.12.6-gr-minimal/fs/proc/base.c
+--- linux-2.6.12.6/fs/proc/base.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/base.c 2005-08-30 16:55:16.803318552 +0200
+@@ -83,6 +83,9 @@
+ #ifdef CONFIG_AUDITSYSCALL
+ PROC_TGID_LOGINUID,
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ PROC_TGID_IPADDR,
++#endif
+ PROC_TGID_FD_DIR,
+ PROC_TGID_OOM_SCORE,
+ PROC_TGID_OOM_ADJUST,
+@@ -152,6 +155,9 @@
+ E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
++#endif
+ #ifdef CONFIG_SECURITY
+ E(PROC_TGID_ATTR, "attr", S_IFDIR|S_IRUGO|S_IXUGO),
+ #endif
+@@ -1149,6 +1155,9 @@
+ inode->i_uid = task->euid;
+ inode->i_gid = task->egid;
+ }
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#endif
+ security_task_to_inode(task, inode);
+
+ out:
+@@ -1177,7 +1186,9 @@
+ if (pid_alive(task)) {
+ if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
+ inode->i_uid = task->euid;
++#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
+ inode->i_gid = task->egid;
++#endif
+ } else {
+ inode->i_uid = 0;
+ inode->i_gid = 0;
+@@ -1500,6 +1511,12 @@
+ inode->i_fop = &proc_info_file_operations;
+ ei->op.proc_read = proc_pid_status;
+ break;
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ case PROC_TGID_IPADDR:
++ inode->i_fop = &proc_info_file_operations;
++ ei->op.proc_read = proc_pid_ipaddr;
++ break;
++#endif
+ case PROC_TID_STAT:
+ inode->i_fop = &proc_info_file_operations;
+ ei->op.proc_read = proc_tid_stat;
+@@ -1792,6 +1809,17 @@
+ if (!task)
+ goto out;
+
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (current->uid && (task->uid != current->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ ) {
++ put_task_struct(task);
++ goto out;
++ }
++#endif
++
+ inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
+
+
+@@ -1799,7 +1827,15 @@
+ put_task_struct(task);
+ goto out;
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_flags|=S_IMMUTABLE;
+@@ -1891,6 +1927,9 @@
+ static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
+ {
+ struct task_struct *p;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ struct task_struct *tmp = current;
++#endif
+ int nr_tgids = 0;
+
+ index--;
+@@ -1911,6 +1950,14 @@
+ int tgid = p->pid;
+ if (!pid_alive(p))
+ continue;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (tmp->uid && (p->uid != tmp->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++ continue;
++#endif
+ if (--index >= 0)
+ continue;
+ tgids[nr_tgids] = tgid;
+diff -urN linux-2.6.12.6/fs/proc/inode.c linux-2.6.12.6-gr-minimal/fs/proc/inode.c
+--- linux-2.6.12.6/fs/proc/inode.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/inode.c 2005-08-30 16:55:16.804318400 +0200
+@@ -163,7 +163,11 @@
+ if (de->mode) {
+ inode->i_mode = de->mode;
+ inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = de->gid;
++#endif
+ }
+ if (de->size)
+ inode->i_size = de->size;
+diff -urN linux-2.6.12.6/fs/proc/internal.h linux-2.6.12.6-gr-minimal/fs/proc/internal.h
+--- linux-2.6.12.6/fs/proc/internal.h 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/internal.h 2005-08-30 16:55:16.804318400 +0200
+@@ -36,6 +36,9 @@
+ extern int proc_tgid_stat(struct task_struct *, char *);
+ extern int proc_pid_status(struct task_struct *, char *);
+ extern int proc_pid_statm(struct task_struct *, char *);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct*,char*);
++#endif
+
+ static inline struct task_struct *proc_task(struct inode *inode)
+ {
+diff -urN linux-2.6.12.6/fs/proc/proc_misc.c linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c
+--- linux-2.6.12.6/fs/proc/proc_misc.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c 2005-08-30 16:55:16.806318096 +0200
+@@ -552,6 +552,8 @@
+ void __init proc_misc_init(void)
+ {
+ struct proc_dir_entry *entry;
++ int gr_mode = 0;
++
+ static struct {
+ char *name;
+ int (*read_proc)(char*,char**,off_t,int,int*,void*);
+@@ -566,9 +568,13 @@
+ #ifdef CONFIG_STRAM_PROC
+ {"stram", stram_read_proc},
+ #endif
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ {"devices", devices_read_proc},
++#endif
+ {"filesystems", filesystems_read_proc},
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ {"cmdline", cmdline_read_proc},
++#endif
+ {"locks", locks_read_proc},
+ {"execdomains", execdomains_read_proc},
+ {NULL,}
+@@ -576,6 +582,16 @@
+ for (p = simple_ones; p->name; p++)
+ create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ gr_mode = S_IRUSR;
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ gr_mode = S_IRUSR | S_IRGRP;
++#endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL);
++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++#endif
++
+ proc_symlink("mounts", NULL, "self/mounts");
+
+ /* And now for trickier ones */
+@@ -586,17 +602,21 @@
+ create_seq_entry("partitions", 0, &proc_partitions_operations);
+ create_seq_entry("stat", 0, &proc_stat_operations);
+ create_seq_entry("interrupts", 0, &proc_interrupts_operations);
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
++#else
+ create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
++#endif
+ create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
+ create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
+ create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+ #ifdef CONFIG_MODULES
+- create_seq_entry("modules", 0, &proc_modules_operations);
++ create_seq_entry("modules", gr_mode, &proc_modules_operations);
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ create_seq_entry("schedstat", 0, &proc_schedstat_operations);
+ #endif
+-#ifdef CONFIG_PROC_KCORE
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
+ if (proc_root_kcore) {
+ proc_root_kcore->proc_fops = &proc_kcore_operations;
+diff -urN linux-2.6.12.6/fs/proc/root.c linux-2.6.12.6-gr-minimal/fs/proc/root.c
+--- linux-2.6.12.6/fs/proc/root.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/fs/proc/root.c 2005-08-30 16:55:16.807317944 +0200
+@@ -52,7 +52,13 @@
+ return;
+ }
+ proc_misc_init();
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#else
+ proc_net = proc_mkdir("net", NULL);
++#endif
+ proc_net_stat = proc_mkdir("net/stat", NULL);
+
+ #ifdef CONFIG_SYSVIPC
+@@ -76,7 +82,15 @@
+ #ifdef CONFIG_PROC_DEVICETREE
+ proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ proc_bus = proc_mkdir("bus", NULL);
++#endif
+ }
+
+ static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd)
+diff -urN linux-2.6.12.6/include/linux/sched.h linux-2.6.12.6-gr-minimal/include/linux/sched.h
+--- linux-2.6.12.6/include/linux/sched.h 2005-08-30 14:50:44.008073776 +0200
++++ linux-2.6.12.6-gr-minimal/include/linux/sched.h 2005-08-30 16:57:22.493210784 +0200
+@@ -365,6 +365,13 @@
+ struct key *session_keyring; /* keyring inherited over fork */
+ struct key *process_keyring; /* keyring private to this process */
+ #endif
++#ifdef CONFIG_GRKERNSEC
++ u32 curr_ip;
++ u32 gr_saddr;
++ u32 gr_daddr;
++ u16 gr_sport;
++ u16 gr_dport;
++#endif
+ };
+
+ /*
+diff -urN linux-2.6.12.6/kernel/signal.c linux-2.6.12.6-gr-minimal/kernel/signal.c
+--- linux-2.6.12.6/kernel/signal.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/kernel/signal.c 2005-08-30 16:53:56.488528256 +0200
+@@ -318,6 +318,9 @@
+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
+ }
+
++#ifdef CONFIG_GRKERNSEC
++extern void gr_del_task_from_ip_table(struct task_struct *task);
++#endif
+ /*
+ * This function expects the tasklist_lock write-locked.
+ */
+@@ -356,6 +357,9 @@
+ posix_cpu_timers_exit_group(tsk);
+ if (tsk == sig->curr_target)
+ sig->curr_target = next_thread(tsk);
++#ifdef CONFIG_GRKERNSEC
++ gr_del_task_from_ip_table(tsk);
++#endif
+ tsk->signal = NULL;
+ spin_unlock(&sighand->siglock);
+ flush_sigqueue(&sig->shared_pending);
+diff -urN linux-2.6.12.6/net/ipv4/tcp_ipv4.c linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c
+--- linux-2.6.12.6/net/ipv4/tcp_ipv4.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c 2005-08-30 16:53:51.152339480 +0200
+@@ -647,6 +647,10 @@
+ inet->dport);
+ }
+
++#ifdef CONFIG_GRKERNSEC
++extern void gr_add_to_task_ip_table(struct task_struct *task);
++extern void gr_del_task_from_ip_table(struct task_struct *task);
++#endif
+ /*
+ * Bind a port for a connect operation and hash it.
+ */
+@@ -717,6 +719,15 @@
+ }
+ spin_unlock(&head->lock);
+
++#ifdef CONFIG_GRKERNSEC
++ gr_del_task_from_ip_table(current);
++ current->signal->gr_saddr = inet_sk(sk)->rcv_saddr;
++ current->signal->gr_daddr = inet_sk(sk)->daddr;
++ current->signal->gr_sport = inet_sk(sk)->sport;
++ current->signal->gr_dport = inet_sk(sk)->dport;
++ gr_add_to_task_ip_table(current);
++#endif
++
+ if (tw) {
+ tcp_tw_deschedule(tw);
+ tcp_tw_put(tw);
+diff -urN linux-2.6.12.6/net/socket.c linux-2.6.12.6-gr-minimal/net/socket.c
+--- linux-2.6.12.6/net/socket.c 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/net/socket.c 2005-08-30 16:53:54.382848368 +0200
+@@ -81,6 +81,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/compat.h>
+ #include <linux/kmod.h>
++#include <linux/in.h>
+
+ #ifdef CONFIG_NET_RADIO
+ #include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
+@@ -94,6 +95,9 @@
+ #include <net/sock.h>
+ #include <linux/netfilter.h>
+
++#ifdef CONFIG_GRKERNSEC
++extern void gr_attach_curr_ip(const struct sock *sk);
++#endif
+ static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
+ static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
+ size_t size, loff_t pos);
+@@ -1384,6 +1386,9 @@
+ goto out_release;
+
+ security_socket_post_accept(sock, newsock);
++#ifdef CONFIG_GRKERNSEC
++ gr_attach_curr_ip(newsock->sk);
++#endif
+
+ out_put:
+ sockfd_put(sock);
+diff -urN linux-2.6.12.6/security/Kconfig linux-2.6.12.6-gr-minimal/security/Kconfig
+--- linux-2.6.12.6/security/Kconfig 2005-08-29 18:55:27.000000000 +0200
++++ linux-2.6.12.6-gr-minimal/security/Kconfig 2005-08-30 16:55:16.808317792 +0200
+@@ -87,5 +87,99 @@
+
+ source security/selinux/Kconfig
+
++#
++# grecurity configuration
++#
++
++menu "Grsecurity"
++
++config GRKERNSEC
++ bool "Grsecurity"
++ help
++ If you say Y here, you will be able to configure many features
++ that will enhance the security of your system. It is highly
++ recommended that you say Y here and read through the help
++ for each option so that you fully understand the features and
++ can evaluate their usefulness for your machine.
++
++menu "Filesystem Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC
++ bool "Proc restrictions"
++ help
++ If you say Y here, the permissions of the /proc filesystem
++ will be altered to enhance system security and privacy. You MUST
++ choose either a user only restriction or a user and group restriction.
++ Depending upon the option you choose, you can either restrict users to
++ see only the processes they themselves run, or choose a group that can
++ view all processes and files normally restricted to root if you choose
++ the "restrict to user only" option. NOTE: If you're running identd as
++ a non-root user, you will have to run it as the group you specify here.
++
++config GRKERNSEC_PROC_USER
++ bool "Restrict /proc to user only"
++ depends on GRKERNSEC_PROC
++ help
++ If you say Y here, non-root users will only be able to view their own
++ processes, and restricts them from viewing network-related information,
++ and viewing kernel symbol and module information.
++
++config GRKERNSEC_PROC_USERGROUP
++ bool "Allow special group"
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ help
++ If you say Y here, you will be able to select a group that will be
++ able to view all processes, network-related information, and
++ kernel and symbol information. This option is useful if you want
++ to run identd as a non-root user.
++
++config GRKERNSEC_PROC_GID
++ int "GID for special group"
++ depends on GRKERNSEC_PROC_USERGROUP
++ default 1001
++
++config GRKERNSEC_PROC_ADD
++ bool "Additional restrictions"
++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++ help
++ If you say Y here, additional restrictions will be placed on
++ /proc that keep normal users from viewing device information and
++ slabinfo information that could be useful for exploits.
++
++config GRKERNSEC_PROC_IPADDR
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_LINK
++ bool "Linking restrictions"
++ help
++ If you say Y here, /tmp race exploits will be prevented, since users
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list