SOURCES (Titanium): linux-2.6-grsec-vs-minimal.patch - recreated f...
hawk
hawk at pld-linux.org
Fri Apr 25 13:29:34 CEST 2008
Author: hawk Date: Fri Apr 25 11:29:34 2008 GMT
Module: SOURCES Tag: Titanium
---- Log message:
- recreated from grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
- removed GRKERNSEC_SHM leftovers
---- Files affected:
SOURCES:
linux-2.6-grsec-vs-minimal.patch (1.1.2.8.2.1 -> 1.1.2.8.2.2)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec-vs-minimal.patch
diff -u SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.1 SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.2
--- SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.1 Sat Apr 19 17:04:10 2008
+++ SOURCES/linux-2.6-grsec-vs-minimal.patch Fri Apr 25 13:29:28 2008
@@ -1,6 +1,6 @@
-diff -urNp linux-2.6.24.orig/arch/sparc/Makefile linux-2.6.24/arch/sparc/Makefile
---- linux-2.6.24.orig/arch/sparc/Makefile 2008-04-19 16:19:57.000000000 +0200
-+++ linux-2.6.24/arch/sparc/Makefile 2008-04-19 16:59:08.000000000 +0200
+diff -urNp linux-2.6.24.5/arch/sparc/Makefile linux-2.6.24.5/arch/sparc/Makefile
+--- linux-2.6.24.5/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/arch/sparc/Makefile 2008-03-26 20:21:07.000000000 -0400
@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
# Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
@@ -10,9 +10,21 @@
CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
-diff -urNp linux-2.6.24.orig/drivers/char/keyboard.c linux-2.6.24/drivers/char/keyboard.c
---- linux-2.6.24.orig/drivers/char/keyboard.c 2008-04-19 16:19:58.000000000 +0200
-+++ linux-2.6.24/drivers/char/keyboard.c 2008-04-19 16:59:08.000000000 +0200
+diff -urNp linux-2.6.24.5/Makefile linux-2.6.24.5/Makefile
+--- linux-2.6.24.5/Makefile 2008-04-17 20:05:17.000000000 -0400
++++ linux-2.6.24.5/Makefile 2008-04-17 20:05:00.000000000 -0400
+@@ -597,7 +597,7 @@ export mod_strip_cmd
+
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urNp linux-2.6.24.5/drivers/char/keyboard.c linux-2.6.24.5/drivers/char/keyboard.c
+--- linux-2.6.24.5/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/char/keyboard.c 2008-03-26 20:21:08.000000000 -0400
@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
@@ -30,9 +42,9 @@
fn_handler[value](vc);
}
-diff -urNp linux-2.6.24.orig/drivers/pci/proc.c linux-2.6.24/drivers/pci/proc.c
---- linux-2.6.24.orig/drivers/pci/proc.c 2008-04-19 16:20:03.000000000 +0200
-+++ linux-2.6.24/drivers/pci/proc.c 2008-04-19 16:59:08.000000000 +0200
+diff -urNp linux-2.6.24.5/drivers/pci/proc.c linux-2.6.24.5/drivers/pci/proc.c
+--- linux-2.6.24.5/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/pci/proc.c 2008-03-26 20:21:08.000000000 -0400
@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
{
struct proc_dir_entry *entry;
@@ -49,9 +61,9 @@
entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
if (entry)
entry->proc_fops = &proc_bus_pci_dev_operations;
-diff -urNp linux-2.6.24.orig/fs/Kconfig linux-2.6.24/fs/Kconfig
---- linux-2.6.24.orig/fs/Kconfig 2008-04-19 16:20:07.000000000 +0200
-+++ linux-2.6.24/fs/Kconfig 2008-04-19 16:59:08.000000000 +0200
+diff -urNp linux-2.6.24.5/fs/Kconfig linux-2.6.24.5/fs/Kconfig
+--- linux-2.6.24.5/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/Kconfig 2008-03-26 20:21:08.000000000 -0400
@@ -937,7 +937,7 @@ config PROC_FS
config PROC_KCORE
@@ -61,18 +73,18 @@
config PROC_VMCORE
bool "/proc/vmcore support (EXPERIMENTAL)"
-diff -urNp linux-2.6.24.orig/fs/namei.c linux-2.6.24/fs/namei.c
---- linux-2.6.24.orig/fs/namei.c 2008-04-19 16:20:07.000000000 +0200
-+++ linux-2.6.24/fs/namei.c 2008-04-19 16:59:08.000000000 +0200
-@@ -37,6 +37,7 @@
- #include <linux/vs_cowbl.h>
- #include <linux/vs_device.h>
- #include <linux/vs_context.h>
+diff -urNp linux-2.6.24.5/fs/namei.c linux-2.6.24.5/fs/namei.c
+--- linux-2.6.24.5/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/namei.c 2008-03-26 20:21:08.000000000 -0400
+@@ -30,6 +30,7 @@
+ #include <linux/capability.h>
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
-@@ -689,6 +690,13 @@ static inline int do_follow_link(struct
+@@ -653,6 +654,13 @@ static inline int do_follow_link(struct
err = security_inode_follow_link(path->dentry, nd);
if (err)
goto loop;
@@ -86,7 +98,7 @@
current->link_count++;
current->total_link_count++;
nd->depth++;
-@@ -1856,6 +1864,13 @@ do_last:
+@@ -1782,6 +1816,13 @@ do_last:
/*
* It already exists.
*/
@@ -100,7 +112,7 @@
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path.dentry);
-@@ -1927,6 +1942,13 @@ do_link:
+@@ -1837,6 +1888,13 @@ do_link:
error = security_inode_follow_link(path.dentry, nd);
if (error)
goto exit_dput;
@@ -114,7 +126,7 @@
error = __do_follow_link(&path, nd);
if (error) {
/* Does someone understand code flow here? Or it is only
-@@ -2509,7 +2531,16 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2404,7 +2532,16 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -126,15 +138,33 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+out_unlock_dput:
dput(new_dentry);
out_unlock:
mutex_unlock(&nd.dentry->d_inode->i_mutex);
-diff -urNp linux-2.6.24.orig/fs/proc/array.c linux-2.6.24/fs/proc/array.c
---- linux-2.6.24.orig/fs/proc/array.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/array.c 2008-04-19 16:59:08.000000000 +0200
-@@ -629,3 +629,14 @@ int proc_pid_statm(struct task_struct *t
+@@ -2630,8 +2776,16 @@ static int do_rename(int olddfd, const c
+ if (new_dentry == trap)
+ goto exit5;
+
+- error = vfs_rename(old_dir->d_inode, old_dentry,
++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
++ old_dentry, old_dir->d_inode, oldnd.mnt,
++ newname);
++
++ if (!error)
++ error = vfs_rename(old_dir->d_inode, old_dentry,
+ new_dir->d_inode, new_dentry);
++ if (!error)
++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
+ exit5:
+ dput(new_dentry);
+ exit4:
+diff -urNp linux-2.6.24.5/fs/proc/array.c linux-2.6.24.5/fs/proc/array.c
+--- linux-2.6.24.5/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/array.c 2008-03-26 20:21:08.000000000 -0400
+@@ -572,3 +617,14 @@ int proc_pid_statm(struct task_struct *t
return sprintf(buffer, "%d %d %d %d %d %d %d\n",
size, resident, shared, text, lib, data, 0);
}
@@ -149,134 +179,9 @@
+}
+#endif
+
-diff -urNp linux-2.6.24.orig/fs/proc/base.c linux-2.6.24/fs/proc/base.c
---- linux-2.6.24.orig/fs/proc/base.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/base.c 2008-04-19 16:59:08.000000000 +0200
-@@ -1205,7 +1205,11 @@ static struct inode *proc_pid_make_inode
- if (task_dumpable(task)) {
- inode->i_uid = task->euid;
- inode->i_gid = task->egid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#endif
- }
-+
- /* procfs is xid tagged */
- inode->i_tag = (tag_t)vx_task_xid(task);
- security_task_to_inode(task, inode);
-@@ -1222,17 +1226,38 @@ static int pid_getattr(struct vfsmount *
- {
- struct inode *inode = dentry->d_inode;
- struct task_struct *task;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ struct task_struct *tmp = current;
-+#endif
-+
- generic_fillattr(inode, stat);
-
- rcu_read_lock();
- stat->uid = 0;
- stat->gid = 0;
- task = pid_task(proc_pid(inode), PIDTYPE_PID);
-- if (task) {
-+ if (task
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (!tmp->uid || (tmp->uid == task->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ )
-+#endif
-+ ) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
- stat->uid = task->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- stat->gid = task->egid;
-+#endif
- }
- }
- rcu_read_unlock();
-@@ -1262,9 +1287,18 @@ static int pid_revalidate(struct dentry
- struct task_struct *task = get_proc_task(inode);
- if (task) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
- inode->i_uid = task->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- inode->i_gid = task->egid;
-+#endif
- } else {
- inode->i_uid = 0;
- inode->i_gid = 0;
-@@ -2503,6 +2537,9 @@ int proc_pid_readdir(struct file * filp,
- {
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ struct task_struct *tmp = current;
-+#endif
- struct tgid_iter iter;
- struct pid_namespace *ns;
-
-@@ -2524,6 +2561,15 @@ int proc_pid_readdir(struct file * filp,
- filp->f_pos = iter.tgid + TGID_OFFSET;
- if (!vx_proc_task_visible(iter.task))
- continue;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (tmp->uid && (iter.task->uid != tmp->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ )
-+ continue;
-+#endif
-+
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
- goto out;
-@@ -2588,6 +2634,9 @@ static const struct pid_entry tid_base_s
- #ifdef CONFIG_FAULT_INJECTION
- REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, pid_ipaddr),
-+#endif
- };
-
- static int proc_tid_base_readdir(struct file * filp,
-@@ -2622,7 +2671,14 @@ static struct dentry *proc_task_instanti
-
- if (!inode)
- goto out;
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- inode->i_op = &proc_tid_base_inode_operations;
- inode->i_fop = &proc_tid_base_operations;
- inode->i_flags|=S_IMMUTABLE;
-diff -urNp linux-2.6.24.orig/fs/proc/inode.c linux-2.6.24/fs/proc/inode.c
---- linux-2.6.24.orig/fs/proc/inode.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/inode.c 2008-04-19 16:59:08.000000000 +0200
+diff -urNp linux-2.6.24.5/fs/proc/inode.c linux-2.6.24.5/fs/proc/inode.c
+--- linux-2.6.24.5/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/inode.c 2008-03-26 20:21:08.000000000 -0400
@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
if (de->mode) {
inode->i_mode = de->mode;
@@ -287,25 +192,25 @@
inode->i_gid = de->gid;
+#endif
}
- if (de->vx_flags)
- PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.24.orig/fs/proc/internal.h linux-2.6.24/fs/proc/internal.h
---- linux-2.6.24.orig/fs/proc/internal.h 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/internal.h 2008-04-19 16:59:08.000000000 +0200
-@@ -54,6 +54,9 @@ extern int proc_tgid_stat(struct task_st
+ if (de->size)
+ inode->i_size = de->size;
+diff -urNp linux-2.6.24.5/fs/proc/internal.h linux-2.6.24.5/fs/proc/internal.h
+--- linux-2.6.24.5/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/internal.h 2008-03-26 20:21:08.000000000 -0400
+@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
+ extern int proc_tgid_stat(struct task_struct *, char *);
extern int proc_pid_status(struct task_struct *, char *);
extern int proc_pid_statm(struct task_struct *, char *);
- extern int proc_pid_nsproxy(struct task_struct *, char *);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
extern const struct file_operations proc_maps_operations;
extern const struct file_operations proc_numa_maps_operations;
-diff -urNp linux-2.6.24.orig/fs/proc/proc_misc.c linux-2.6.24/fs/proc/proc_misc.c
---- linux-2.6.24.orig/fs/proc/proc_misc.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/proc_misc.c 2008-04-19 16:59:08.000000000 +0200
-@@ -707,6 +707,8 @@ void create_seq_entry(char *name, mode_t
+diff -urNp linux-2.6.24.5/fs/proc/proc_misc.c linux-2.6.24.5/fs/proc/proc_misc.c
+--- linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-26 20:21:08.000000000 -0400
+@@ -687,6 +687,8 @@ void create_seq_entry(char *name, mode_t
void __init proc_misc_init(void)
{
@@ -314,7 +219,7 @@
static struct {
char *name;
int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -722,13 +724,24 @@ void __init proc_misc_init(void)
+@@ -702,13 +704,24 @@ void __init proc_misc_init(void)
{"stram", stram_read_proc},
#endif
{"filesystems", filesystems_read_proc},
@@ -339,7 +244,7 @@
proc_symlink("mounts", NULL, "self/mounts");
/* And now for trickier ones */
-@@ -741,7 +754,11 @@ void __init proc_misc_init(void)
+@@ -721,7 +734,11 @@ void __init proc_misc_init(void)
}
#endif
create_seq_entry("locks", 0, &proc_locks_operations);
@@ -351,11 +256,11 @@
create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
#ifdef CONFIG_BLOCK
create_seq_entry("partitions", 0, &proc_partitions_operations);
-@@ -749,7 +766,11 @@ void __init proc_misc_init(void)
+@@ -729,7 +746,11 @@ void __init proc_misc_init(void)
create_seq_entry("stat", 0, &proc_stat_operations);
create_seq_entry("interrupts", 0, &proc_interrupts_operations);
#ifdef CONFIG_SLABINFO
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKRENSEC_PROC_ADD
+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
+#else
create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
@@ -363,7 +268,7 @@
#ifdef CONFIG_DEBUG_SLAB_LEAK
create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
#endif
-@@ -767,7 +788,7 @@ void __init proc_misc_init(void)
+@@ -747,7 +768,7 @@ void __init proc_misc_init(void)
#ifdef CONFIG_SCHEDSTATS
create_seq_entry("schedstat", 0, &proc_schedstat_operations);
#endif
@@ -372,27 +277,10 @@
proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
if (proc_root_kcore) {
proc_root_kcore->proc_fops = &proc_kcore_operations;
-diff -urNp linux-2.6.24.orig/fs/proc/proc_net.c linux-2.6.24/fs/proc/proc_net.c
---- linux-2.6.24.orig/fs/proc/proc_net.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/proc_net.c 2008-04-19 16:59:08.000000000 +0200
-@@ -110,7 +110,13 @@ static struct pernet_operations __net_in
-
- int __init proc_net_init(void)
- {
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ shadow_pde = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ shadow_pde = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#else
- shadow_pde = proc_mkdir("net", NULL);
-+#endif
- shadow_pde->shadow_proc = proc_net_shadow;
-
- return register_pernet_subsys(&proc_net_ns_ops);
-diff -urNp linux-2.6.24.orig/fs/proc/root.c linux-2.6.24/fs/proc/root.c
---- linux-2.6.24.orig/fs/proc/root.c 2008-04-19 16:20:10.000000000 +0200
-+++ linux-2.6.24/fs/proc/root.c 2008-04-19 16:59:08.000000000 +0200
-@@ -140,7 +140,15 @@ void __init proc_root_init(void)
+diff -urNp linux-2.6.24.5/fs/proc/root.c linux-2.6.24.5/fs/proc/root.c
+--- linux-2.6.24.5/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/root.c 2008-03-26 20:21:08.000000000 -0400
+@@ -137,7 +137,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
@@ -405,22 +293,165 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
- proc_vx_init();
proc_sys_init();
}
-diff -urNp linux-2.6.24.orig/grsecurity/grsec_disabled.c linux-2.6.24/grsecurity/grsec_disabled.c
---- linux-2.6.24.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.24/grsecurity/grsec_disabled.c 2008-04-19 16:59:08.000000000 +0200
-@@ -0,0 +1,5 @@
+
+diff -urNp linux-2.6.24.5/grsecurity/Kconfig linux-2.6.24.5/grsecurity/Kconfig
+--- linux-2.6.24.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Kconfig 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,123 @@
++#
++# grecurity configuration
++#
++
++menu "Grsecurity"
++
++config GRKERNSEC
++ bool "Grsecurity"
++ select CRYPTO
++ select CRYPTO_SHA256
++ select SECURITY
++ select SECURITY_CAPABILITIES
++ help
++ If you say Y here, you will be able to configure many features
++ that will enhance the security of your system. It is highly
++ recommended that you say Y here and read through the help
++ for each option so that you fully understand the features and
++ can evaluate their usefulness for your machine.
++
++menu "Filesystem Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC
++ bool "Proc restrictions"
++ help
++ If you say Y here, the permissions of the /proc filesystem
++ will be altered to enhance system security and privacy. You MUST
++ choose either a user only restriction or a user and group restriction.
++ Depending upon the option you choose, you can either restrict users to
++ see only the processes they themselves run, or choose a group that can
++ view all processes and files normally restricted to root if you choose
++ the "restrict to user only" option. NOTE: If you're running identd as
++ a non-root user, you will have to run it as the group you specify here.
++
++config GRKERNSEC_PROC_USER
++ bool "Restrict /proc to user only"
++ depends on GRKERNSEC_PROC
++ help
++ If you say Y here, non-root users will only be able to view their own
++ processes, and restricts them from viewing network-related information,
++ and viewing kernel symbol and module information.
++
++config GRKERNSEC_PROC_USERGROUP
++ bool "Allow special group"
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ help
++ If you say Y here, you will be able to select a group that will be
++ able to view all processes, network-related information, and
++ kernel and symbol information. This option is useful if you want
++ to run identd as a non-root user.
++
++config GRKERNSEC_PROC_GID
++ int "GID for special group"
++ depends on GRKERNSEC_PROC_USERGROUP
++ default 1001
++
++config GRKERNSEC_PROC_ADD
++ bool "Additional restrictions"
++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++ help
++ If you say Y here, additional restrictions will be placed on
++ /proc that keep normal users from viewing device information and
++ slabinfo information that could be useful for exploits.
++
++config GRKERNSEC_LINK
++ bool "Linking restrictions"
++ help
++ If you say Y here, /tmp race exploits will be prevented, since users
++ will no longer be able to follow symlinks owned by other users in
++ world-writable +t directories (i.e. /tmp), unless the owner of the
++ symlink is the owner of the directory. users will also not be
++ able to hardlink to files they do not own. If the sysctl option is
++ enabled, a sysctl option with name "linking_restrictions" is created.
++
++config GRKERNSEC_FIFO
++ bool "FIFO restrictions"
++ help
++ If you say Y here, users will not be able to write to FIFOs they don't
++ own in world-writable +t directories (i.e. /tmp), unless the owner of
++ the FIFO is the same owner of the directory it's held in. If the sysctl
++ option is enabled, a sysctl option with name "fifo_restrictions" is
++ created.
++
++endmenu
++
++config GRKERNSEC_PROC_IPADDR
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_SYSCTL
++ bool "Sysctl support"
++ help
++ If you say Y here, you will be able to change the options that
++ grsecurity runs with at bootup, without having to recompile your
++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
++ to enable (1) or disable (0) various features. All the sysctl entries
++ are mutable until the "grsec_lock" entry is set to a non-zero value.
++ All features enabled in the kernel configuration are disabled at boot
++ if you do not say Y to the "Turn on features by default" option.
++ All options should be set at startup, and the grsec_lock entry should
++ be set to a non-zero value after all the options are set.
++ *THIS IS EXTREMELY IMPORTANT*
++
++config GRKERNSEC_SYSCTL_ON
++ bool "Turn on features by default"
++ depends on GRKERNSEC_SYSCTL
++ help
++ If you say Y here, instead of having all features enabled in the
++ kernel configuration disabled at boot time, the features will be
++ enabled at boot time. It is recommended you say Y here unless
++ there is some reason you would want all sysctl-tunable features to
++ be disabled by default. As mentioned elsewhere, it is important
++ to enable the grsec_lock entry once you have finished modifying
++ the sysctl entries.
++
++endmenu
+diff -urNp linux-2.6.24.5/grsecurity/Makefile linux-2.6.24.5/grsecurity/Makefile
+--- linux-2.6.24.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Makefile 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,11 @@
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler, and released under the GPL v2 or higher
++
++obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
++
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o
++
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_disabled.c linux-2.6.24.5/grsecurity/grsec_disabled.c
+--- linux-2.6.24.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_disabled.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,6 @@
+void
+grsecurity_init(void)
+{
+ return;
+}
-diff -urNp linux-2.6.24.orig/grsecurity/grsec_fifo.c linux-2.6.24/grsecurity/grsec_fifo.c
---- linux-2.6.24.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.24/grsecurity/grsec_fifo.c 2008-04-19 16:59:08.000000000 +0200
-@@ -0,0 +1,20 @@
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_fifo.c linux-2.6.24.5/grsecurity/grsec_fifo.c
+--- linux-2.6.24.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_fifo.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,21 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
@@ -436,24 +467,25 @@
+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
+ (current->fsuid != dentry->d_inode->i_uid)) {
++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
+ return -EACCES;
+ }
+#endif
+ return 0;
+}
-diff -urNp linux-2.6.24.orig/grsecurity/grsec_init.c linux-2.6.24/grsecurity/grsec_init.c
---- linux-2.6.24.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.24/grsecurity/grsec_init.c 2008-04-19 16:59:08.000000000 +0200
-@@ -0,0 +1,33 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_init.c linux-2.6.24.5/grsecurity/grsec_init.c
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-vs-minimal.patch?r1=1.1.2.8.2.1&r2=1.1.2.8.2.2&f=u
More information about the pld-cvs-commit
mailing list