SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - updated for http...

mguevara mguevara at pld-linux.org
Tue Jun 5 00:09:19 CEST 2007 

Author: mguevara                     Date: Mon Jun  4 22:09:19 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- updated for http://www.grsecurity.net/~spender/grsecurity-2.1.10-2.6.21.3-200706041205.patch

---- Files affected:
SOURCES:
   linux-2.6-grsec_full.patch (1.1.2.7 -> 1.1.2.8) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.7 SOURCES/linux-2.6-grsec_full.patch:1.1.2.8
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.7	Mon Jun  4 02:42:19 2007
+++ SOURCES/linux-2.6-grsec_full.patch	Tue Jun  5 00:09:14 2007
@@ -14123,6 +14123,17 @@
  	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
  	if (proc_root_kcore) {
  		proc_root_kcore->proc_fops = &proc_kcore_operations;
+diff -urNp linux-2.6.21.3/fs/proc/proc_sysctl.c linux-2.6.21.3/fs/proc/proc_sysctl.c
+--- linux-2.6.21.3/fs/proc/proc_sysctl.c	2007-04-25 23:08:32.000000000 -0400
++++ linux-2.6.21.3/fs/proc/proc_sysctl.c	2007-06-04 11:34:37.000000000 -0400
+@@ -305,6 +305,7 @@ end_instantiate:
+ 		ino= find_inode_number(dir, &qname);
+ 	if (!ino)
+ 		ino = 1;
++
+ 	return filldir(dirent, qname.name, qname.len, filp->f_pos, ino, type);
+ }
+ 
 diff -urNp linux-2.6.21/fs/proc/root.c linux-2.6.21/fs/proc/root.c
 --- linux-2.6.21/fs/proc/root.c	2007-04-25 23:08:32.000000000 -0400
 +++ linux-2.6.21/fs/proc/root.c	2007-04-29 23:02:11.000000000 -0400
@@ -14650,7 +14661,7 @@
 diff -urNp linux-2.6.21/grsecurity/gracl.c linux-2.6.21/grsecurity/gracl.c
 --- linux-2.6.21/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
 +++ linux-2.6.21/grsecurity/gracl.c	2007-04-29 23:39:37.000000000 -0400
-@@ -0,0 +1,3547 @@
+@@ -0,0 +1,3610 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -17803,11 +17814,68 @@
 +#endif
 +
 +#ifdef CONFIG_SYSCTL
-+/* the following function is called under the BKL */
++/* Eric Biederman likes breaking userland ABI and every inode-based security
++   system to save 35kb of memory */
++
++/* we modify the passed in filename, but adjust it back before returning */
++static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
++{
++	struct name_entry *nmatch;
++	char *p, *lastp = NULL;
++	struct acl_object_label *obj = NULL, *tmp;
++	struct acl_subject_label *tmpsubj;
++	int done = 0;
++	char c = '\0';
++
++	read_lock(&gr_inode_lock);
++
++	p = name + len - 1;
++	do {
++		nmatch = lookup_name_entry(name);
++		if (lastp != NULL)
++			*lastp = c;
++
++		if (nmatch == NULL)
++			goto next_component;
++		tmpsubj = current->acl;
++		do {
++			obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
++			if (obj != NULL) {
++				tmp = obj->globbed;
++				while (tmp) {
++					if (!glob_match(tmp->filename, name)) {
++						obj = tmp;
++						goto found_obj;
++					}
++					tmp = tmp->next;
++				}
++				goto found_obj;
++			}
++		} while ((tmpsubj = tmpsubj->parent_subject));
++next_component:
++		/* end case */
++		if (p == name)
++			break;
++
++		while (*p != '/')
++			p--;
++		if (p == name)
++			lastp = p + 1;
++		else {
++			lastp = p;
++			p--;
++		}
++		c = *lastp;
++		*lastp = '\0';
++	} while (1);
++found_obj:
++	read_unlock(&gr_inode_lock);
++	/* obj returned will always be non-null */
++	return obj;
++}
 +
 +__u32
-+gr_handle_sysctl(const struct ctl_table *table, const void *oldval,
-+		 const void *newval)
++gr_handle_sysctl(const struct ctl_table *table, const int op)
 +{
 +	ctl_table *tmp;
 +	struct nameidata nd;
@@ -17816,16 +17884,21 @@
 +	struct acl_object_label *obj;
 +	unsigned short len = 0, pos = 0, depth = 0, i;
 +	__u32 err = 0;
-+	__u32 mode = 0;
++	__u32 mode = GR_FIND;
 +
 +	if (unlikely(!(gr_status & GR_READY)))
 +		return 1;
 +
++	preempt_disable();
++
 +	path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
 +
-+	if (oldval)
++	/* it's only a read if it's an actual entry, not a dir
++	   (which are opened for readdir)
++	*/
++	if (op & 004 && table->child == NULL)
 +		mode |= GR_READ;
-+	if (newval)
++	if (op & 002)
 +		mode |= GR_WRITE;
 +
 +	/* convert the requested sysctl entry into a pathname */
@@ -17836,8 +17909,10 @@
 +		depth++;
 +	}
 +
-+	if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE)
-+		return 0;	/* deny */
++	if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
++		err = 0; /* deny */
++		goto out;
++	}
 +
 +	memset(path, 0, PAGE_SIZE);
 +
@@ -17858,12 +17933,7 @@
 +		}
 +	}
 +
-+	err = path_lookup(path, LOOKUP_FOLLOW, &nd);
-+
-+	if (err)
-+		goto out;
-+
-+	obj = chk_obj_label(nd.dentry, nd.mnt, current->acl);
++	obj = gr_lookup_by_name(path, pos);
 +	err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
 +
 +	if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
@@ -17872,8 +17942,12 @@
 +
 +		new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
 +
++		err = path_lookup(path, LOOKUP_FOLLOW, &nd);
++		if (err)
++			goto out;
 +		err = new_mode;
 +		gr_log_learn(current, nd.dentry, nd.mnt, new_mode);
++		path_release(&nd);
 +	} else if ((err & mode) != mode && !(err & GR_SUPPRESS)) {
 +		gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
 +			       path, (mode & GR_READ) ? " reading" : "",
@@ -17887,9 +17961,9 @@
 +			       (mode & GR_WRITE) ? " writing" : "");
 +	}
 +
-+	path_release(&nd);
-+
 +      out:
++	preempt_enable();
++
 +	return err;
 +}
 +#endif
@@ -20044,9 +20118,9 @@
 +
 +#ifdef CONFIG_SYSCTL
 +__u32
-+gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
++gr_handle_sysctl(const struct ctl_table * table, const int op)
 +{
-+	return mode;
++	return 1;
 +}
 +#endif
 +
@@ -28591,15 +28665,14 @@
 diff -urNp linux-2.6.21/kernel/sysctl.c linux-2.6.21/kernel/sysctl.c
 --- linux-2.6.21/kernel/sysctl.c	2007-04-25 23:08:32.000000000 -0400
 +++ linux-2.6.21/kernel/sysctl.c	2007-04-30 17:15:45.000000000 -0400
-@@ -58,6 +58,14 @@ extern int proc_nr_files(ctl_table *tabl
+@@ -58,6 +58,13 @@ extern int proc_nr_files(ctl_table *tabl
  #endif
  
  #if defined(CONFIG_SYSCTL)
 +#include <linux/grsecurity.h>
 +#include <linux/grinternal.h>
 +
-+extern __u32 gr_handle_sysctl(const ctl_table *table, const void *oldval,
-+			      const void *newval);
++extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
 +				const int op);
 +extern int gr_handle_chroot_sysctl(const int op);
@@ -28675,7 +28748,7 @@
  	{ .ctl_name = 0 }
  };
  
-@@ -1149,6 +1189,12 @@ static int test_perm(int mode, int op)
+@@ -1149,6 +1189,28 @@ static int test_perm(int mode, int op)
  int sysctl_perm(ctl_table *table, int op)
  {
  	int error;
@@ -28685,16 +28758,37 @@
 +		return -EACCES;
 +	if (gr_handle_chroot_sysctl(op))
 +		return -EACCES;
++	if (!gr_handle_sysctl(table, op)) {
++		if (!(op & 006))
++			return -ENOENT;
++		else
++			return -EACCES;
++	}
++	error = security_sysctl(table, op);
++	if (error)
++		return error;
++	return test_perm(table->mode, op);
++}
++
++int sysctl_perm_nochk(ctl_table *table, int op)
++{
++	int error;
++
  	error = security_sysctl(table, op);
  	if (error)
  		return error;
-@@ -1180,6 +1226,10 @@ repeat:
+@@ -1173,13 +1234,14 @@ repeat:
+ 		if (n == table->ctl_name) {
+ 			int error;
+ 			if (table->child) {
+-				if (sysctl_perm(table, 001))
++				if (sysctl_perm_nochk(table, 001))
+ 					return -EPERM;
+ 				name++;
+ 				nlen--;
  				table = table->child;
  				goto repeat;
  			}
-+
-+			if (!gr_handle_sysctl(table, oldval, newval))
-+				return -EPERM;
 +
  			error = do_sysctl_strategy(table, name, nlen,
  						   oldval, oldlenp,
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.7&r2=1.1.2.8&f=u

More information about the pld-cvs-commit mailing list