SOURCES (Titanium): linux-2.6-grsec-vs-minimal.patch - minimal grsecurity c...
hawk
hawk at pld-linux.org
Fri Nov 7 14:30:51 CET 2008
Author: hawk Date: Fri Nov 7 13:30:51 2008 GMT
Module: SOURCES Tag: Titanium
---- Log message:
- minimal grsecurity created from scratch for 2.6.27.x kernels
---- Files affected:
SOURCES:
linux-2.6-grsec-vs-minimal.patch (1.1.2.8.2.10 -> 1.1.2.8.2.11)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec-vs-minimal.patch
diff -u SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.10 SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.11
--- SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.10 Tue Sep 2 15:38:18 2008
+++ SOURCES/linux-2.6-grsec-vs-minimal.patch Fri Nov 7 14:30:45 2008
@@ -1,7 +1,7 @@
-diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile
---- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200
-+++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200
-@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
+diff -urNp linux-2.6.27.4/arch/sparc/Makefile linux-2.6.27.4/arch/sparc/Makefile
+--- linux-2.6.27.4/arch/sparc/Makefile 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/arch/sparc/Makefile 2008-10-25 12:03:06.000000000 -0400
+@@ -37,7 +37,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
# Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
CORE_Y := $(core-y)
@@ -10,10 +10,10 @@
CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
-diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
---- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200
-+++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200
-@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
+diff -urNp linux-2.6.27.4/drivers/char/keyboard.c linux-2.6.27.4/drivers/char/keyboard.c
+--- linux-2.6.27.4/drivers/char/keyboard.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/drivers/char/keyboard.c 2008-10-27 22:36:17.000000000 -0400
+@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
@@ -30,10 +30,10 @@
fn_handler[value](vc);
}
-diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
---- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200
-+++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
-@@ -472,7 +472,16 @@ static const struct file_operations proc
+diff -urNp linux-2.6.27.4/drivers/pci/proc.c linux-2.6.27.4/drivers/pci/proc.c
+--- linux-2.6.27.4/drivers/pci/proc.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/drivers/pci/proc.c 2008-10-25 12:03:06.000000000 -0400
+@@ -470,7 +470,16 @@ static const struct file_operations proc
static int __init pci_proc_init(void)
{
struct pci_dev *dev = NULL;
@@ -50,43 +50,25 @@
proc_create("devices", 0, proc_bus_pci_dir,
&proc_bus_pci_dev_operations);
proc_initialized = 1;
-diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
---- linux-2.6.26.orig/fs/Kconfig 2008-09-01 11:43:58.000000000 +0200
-+++ linux-2.6.26/fs/Kconfig 2008-09-02 12:17:21.000000000 +0200
-@@ -926,12 +926,12 @@ config PROC_FS
-
- config PROC_KCORE
- bool "/proc/kcore support" if !ARM
-- depends on PROC_FS && MMU
-+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
-
- config PROC_VMCORE
- bool "/proc/vmcore support (EXPERIMENTAL)"
-- depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP
-- default y
-+ depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP && !GRKERNSEC
-+ default n
- help
- Exports the dump image of crashed kernel in ELF format.
-
-diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c
---- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200
-@@ -38,6 +38,7 @@
- #include <linux/vs_cowbl.h>
- #include <linux/vs_device.h>
- #include <linux/vs_context.h>
+diff -urNp linux-2.6.27.4/fs/namei.c linux-2.6.27.4/fs/namei.c
+--- linux-2.6.27.4/fs/namei.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/namei.c 2008-10-27 22:36:18.000000000 -0400
+@@ -31,6 +31,8 @@
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+ #include <linux/device_cgroup.h>
+#include <linux/grsecurity.h>
- #include <asm/namei.h>
++
#include <asm/uaccess.h>
-@@ -740,6 +741,13 @@ static inline int do_follow_link(struct
+ #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
+@@ -677,6 +679,13 @@ static inline int do_follow_link(struct
err = security_inode_follow_link(path->dentry, nd);
if (err)
goto loop;
+
+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
-+ path->dentry->d_inode, path->dentry)) {
++ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
+ err = -EACCES;
+ goto loop;
+ }
@@ -94,12 +76,12 @@
current->link_count++;
current->total_link_count++;
nd->depth++;
-@@ -1925,6 +1933,12 @@ do_last:
+@@ -1759,6 +1794,12 @@ do_last:
/*
* It already exists.
*/
+
-+ if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
++ if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
+ error = -EACCES;
+ goto exit_mutex_unlock;
+ }
@@ -107,13 +89,13 @@
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path.dentry);
-@@ -2028,6 +2042,13 @@ do_link:
+@@ -1843,6 +1892,13 @@ do_link:
error = security_inode_follow_link(path.dentry, &nd);
if (error)
goto exit_dput;
+
+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
-+ path.dentry)) {
++ path.dentry, nd.path.mnt)) {
+ error = -EACCES;
+ goto exit_dput;
+ }
@@ -121,13 +103,14 @@
error = __do_follow_link(&path, &nd);
if (error) {
/* Does someone understand code flow here? Or it is only
-@@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2453,6 +2572,14 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
+
-+ if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode,
-+ old_nd.path.dentry->d_inode->i_mode, to)) {
++ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
++ old_path.dentry->d_inode,
++ old_path.dentry->d_inode->i_mode, to)) {
+ error = -EACCES;
+ goto out_dput;
+ }
@@ -135,10 +118,10 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
---- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
-@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
+diff -urNp linux-2.6.27.4/fs/proc/array.c linux-2.6.27.4/fs/proc/array.c
+--- linux-2.6.27.4/fs/proc/array.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/array.c 2008-10-27 22:36:18.000000000 -0400
+@@ -524,3 +569,10 @@ int proc_pid_statm(struct seq_file *m, s
return 0;
}
@@ -149,13 +132,13 @@
+ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+}
+#endif
-diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c
---- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200
+diff -urNp linux-2.6.27.4/fs/proc/base.c linux-2.6.27.4/fs/proc/base.c
+--- linux-2.6.27.4/fs/proc/base.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/base.c 2008-10-27 22:36:18.000000000 -0400
@@ -79,6 +79,8 @@
+ #include <linux/oom.h>
+ #include <linux/elf.h>
#include <linux/pid_namespace.h>
- #include <linux/vs_context.h>
- #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
@@ -170,7 +153,7 @@
EXPORT_SYMBOL(maps_protect);
static struct fs_struct *get_fs_struct(struct task_struct *task)
-@@ -307,9 +312,9 @@ static int proc_pid_auxv(struct task_str
+@@ -312,9 +317,9 @@ static int proc_pid_auxv(struct task_str
struct mm_struct *mm = get_task_mm(task);
if (mm) {
unsigned int nwords = 0;
@@ -182,7 +165,7 @@
res = nwords * sizeof(mm->saved_auxv[0]);
if (res > PAGE_SIZE)
res = PAGE_SIZE;
-@@ -1412,7 +1417,11 @@ static struct inode *proc_pid_make_inode
+@@ -1437,7 +1442,11 @@ static struct inode *proc_pid_make_inode
inode->i_gid = 0;
if (task_dumpable(task)) {
inode->i_uid = task->euid;
@@ -192,9 +175,9 @@
inode->i_gid = task->egid;
+#endif
}
- /* procfs is xid tagged */
- inode->i_tag = (tag_t)vx_task_xid(task);
-@@ -1430,17 +1439,39 @@ static int pid_getattr(struct vfsmount *
+ security_task_to_inode(task, inode);
+
+@@ -1453,17 +1462,39 @@ static int pid_getattr(struct vfsmount *
{
struct inode *inode = dentry->d_inode;
struct task_struct *task;
@@ -235,7 +218,7 @@
}
}
rcu_read_unlock();
-@@ -1468,11 +1505,21 @@ static int pid_revalidate(struct dentry
+@@ -1491,11 +1528,21 @@ static int pid_revalidate(struct dentry
{
struct inode *inode = dentry->d_inode;
struct task_struct *task = get_proc_task(inode);
@@ -257,8 +240,8 @@
} else {
inode->i_uid = 0;
inode->i_gid = 0;
-@@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino
- struct nameidata *nd)
+@@ -1863,12 +1910,19 @@ static const struct file_operations proc
+ static int proc_fd_permission(struct inode *inode, int mask)
{
int rv;
+ struct task_struct *task;
@@ -279,7 +262,17 @@
return rv;
}
-@@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia
+@@ -2518,6 +2584,9 @@ static const struct pid_entry tgid_base_
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ INF("io", S_IRUGO, tgid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ INF("ipaddr", S_IRUSR, pid_ipaddr),
++#endif
+ };
+
+ static int proc_tgid_base_readdir(struct file * filp,
+@@ -2647,7 +2716,14 @@ static struct dentry *proc_pid_instantia
if (!inode)
goto out;
@@ -294,17 +287,17 @@
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp,
+@@ -2754,6 +2834,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
struct tgid_iter iter;
struct pid_namespace *ns;
-@@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp,
+@@ -2772,6 +2855,15 @@ int proc_pid_readdir(struct file * filp,
for (iter = next_tgid(ns, iter);
iter.task;
iter.tgid += 1, iter = next_tgid(ns, iter)) {
@@ -318,22 +311,12 @@
+ continue;
+
filp->f_pos = iter.tgid + TGID_OFFSET;
- if (!vx_proc_task_visible(iter.task))
- continue;
-@@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s
- #ifdef CONFIG_FAULT_INJECTION
- REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, pid_ipaddr),
-+#endif
- };
-
- static int proc_tid_base_readdir(struct file * filp,
-diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
---- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
-@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
+ if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ put_task_struct(iter.task);
+diff -urNp linux-2.6.27.4/fs/proc/inode.c linux-2.6.27.4/fs/proc/inode.c
+--- linux-2.6.27.4/fs/proc/inode.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/inode.c 2008-10-25 12:03:07.000000000 -0400
+@@ -467,7 +467,11 @@ struct inode *proc_get_inode(struct supe
if (de->mode) {
inode->i_mode = de->mode;
inode->i_uid = de->uid;
@@ -343,25 +326,44 @@
inode->i_gid = de->gid;
+#endif
}
- if (de->vx_flags)
- PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h
---- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200
-@@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil
+ if (de->size)
+ inode->i_size = de->size;
+diff -urNp linux-2.6.27.4/fs/proc/internal.h linux-2.6.27.4/fs/proc/internal.h
+--- linux-2.6.27.4/fs/proc/internal.h 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/internal.h 2008-10-25 12:03:07.000000000 -0400
+@@ -55,6 +55,9 @@ extern int proc_pid_status(struct seq_fi
struct pid *pid, struct task_struct *task);
- extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
-
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
-diff -urNp linux-2.6.26.orig/fs/proc/proc_misc.c linux-2.6.26/fs/proc/proc_misc.c
---- linux-2.6.26.orig/fs/proc/proc_misc.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/proc_misc.c 2008-09-02 12:17:21.000000000 +0200
-@@ -851,6 +851,8 @@ struct proc_dir_entry *proc_root_kcore;
+ extern const struct file_operations proc_maps_operations;
+diff -urNp linux-2.6.27.4/fs/proc/Kconfig linux-2.6.27.4/fs/proc/Kconfig
+--- linux-2.6.27.4/fs/proc/Kconfig 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/Kconfig 2008-10-25 12:20:56.000000000 -0400
+@@ -30,12 +30,12 @@ config PROC_FS
+
+ config PROC_KCORE
+ bool "/proc/kcore support" if !ARM
+- depends on PROC_FS && MMU
++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+
+ config PROC_VMCORE
+ bool "/proc/vmcore support (EXPERIMENTAL)"
+- depends on PROC_FS && CRASH_DUMP
+- default y
++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++ default n
+ help
+ Exports the dump image of crashed kernel in ELF format.
+
+diff -urNp linux-2.6.27.4/fs/proc/proc_misc.c linux-2.6.27.4/fs/proc/proc_misc.c
+--- linux-2.6.27.4/fs/proc/proc_misc.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/proc_misc.c 2008-10-25 12:03:07.000000000 -0400
+@@ -860,6 +860,8 @@ struct proc_dir_entry *proc_root_kcore;
void __init proc_misc_init(void)
{
@@ -370,7 +372,7 @@
static struct {
char *name;
int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -866,13 +868,24 @@ void __init proc_misc_init(void)
+@@ -875,13 +877,24 @@ void __init proc_misc_init(void)
{"stram", stram_read_proc},
#endif
{"filesystems", filesystems_read_proc},
@@ -395,7 +397,7 @@
proc_symlink("mounts", NULL, "self/mounts");
/* And now for trickier ones */
-@@ -880,14 +893,18 @@ void __init proc_misc_init(void)
+@@ -889,14 +902,18 @@ void __init proc_misc_init(void)
proc_create("kmsg", S_IRUSR, NULL, &proc_kmsg_operations);
#endif
proc_create("locks", 0, NULL, &proc_locks_operations);
@@ -415,7 +417,7 @@
proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
#ifdef CONFIG_DEBUG_SLAB_LEAK
proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
-@@ -909,7 +926,7 @@ void __init proc_misc_init(void)
+@@ -918,7 +935,7 @@ void __init proc_misc_init(void)
#ifdef CONFIG_SCHEDSTATS
proc_create("schedstat", 0, NULL, &proc_schedstat_operations);
#endif
@@ -424,10 +426,28 @@
proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
if (proc_root_kcore)
proc_root_kcore->size =
-diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
---- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
-@@ -139,7 +139,15 @@ void __init proc_root_init(void)
+diff -urNp linux-2.6.27.4/fs/proc/proc_net.c linux-2.6.27.4/fs/proc/proc_net.c
+--- linux-2.6.27.4/fs/proc/proc_net.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/proc_net.c 2008-10-25 12:03:07.000000000 -0400
+@@ -106,6 +106,14 @@ static struct net *get_proc_task_net(str
+ struct nsproxy *ns;
+ struct net *net = NULL;
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ if (current->fsuid)
++ return net;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (current->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++ return net;
++#endif
++
+ rcu_read_lock();
+ task = pid_task(proc_pid(dir), PIDTYPE_PID);
+ if (task != NULL) {
+diff -urNp linux-2.6.27.4/fs/proc/root.c linux-2.6.27.4/fs/proc/root.c
+--- linux-2.6.27.4/fs/proc/root.c 2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/root.c 2008-10-25 12:03:07.000000000 -0400
+@@ -135,7 +135,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
@@ -441,11 +461,11 @@
proc_mkdir("bus", NULL);
+#endif
proc_sys_init();
- proc_vx_init();
}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c
---- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200
+
+diff -urNp linux-2.6.27.4/grsecurity/grsec_disabled.c linux-2.6.27.4/grsecurity/grsec_disabled.c
+--- linux-2.6.27.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_disabled.c 2008-10-25 12:03:07.000000000 -0400
@@ -0,0 +1,6 @@
+void
+grsecurity_init(void)
@@ -453,9 +473,9 @@
+ return;
+}
+
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c
---- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_fifo.c linux-2.6.27.4/grsecurity/grsec_fifo.c
+--- linux-2.6.27.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_fifo.c 2008-10-25 12:03:07.000000000 -0400
@@ -0,0 +1,20 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -477,10 +497,10 @@
+#endif
+ return 0;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c
---- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,29 @@
+diff -urNp linux-2.6.27.4/grsecurity/grsec_init.c linux-2.6.27.4/grsecurity/grsec_init.c
+--- linux-2.6.27.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_init.c 2008-10-25 12:03:07.000000000 -0400
+@@ -0,0 +1,32 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -503,6 +523,9 @@
+#ifdef CONFIG_GRKERNSEC_LINK
+ grsec_enable_link = 1;
+#endif
++#ifdef CONFIG_GRKERNSEC_DMESG
++ grsec_enable_dmesg = 1;
++#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+ grsec_enable_fifo = 1;
+#endif
@@ -510,9 +533,9 @@
+
+ return;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c
---- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_link.c linux-2.6.27.4/grsecurity/grsec_link.c
+--- linux-2.6.27.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_link.c 2008-10-25 12:03:07.000000000 -0400
@@ -0,0 +1,37 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -551,10 +574,10 @@
+#endif
+ return 0;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c
---- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,170 @@
+diff -urNp linux-2.6.27.4/grsecurity/grsec_sock.c linux-2.6.27.4/grsecurity/grsec_sock.c
+--- linux-2.6.27.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_sock.c 2008-10-28 01:32:07.000000000 -0400
+@@ -0,0 +1,169 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -575,7 +598,7 @@
+};
+
+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
-+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
++DEFINE_SPINLOCK(gr_conn_table_lock);
+
+extern const char * gr_socktype_to_name(unsigned char type);
+extern const char * gr_proto_to_name(unsigned char proto);
@@ -724,10 +747,9 @@
+#endif
+ return;
+}
-+
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c
---- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_sysctl.c linux-2.6.27.4/grsecurity/grsec_sysctl.c
+--- linux-2.6.27.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_sysctl.c 2008-10-25 13:42:27.000000000 -0400
@@ -0,0 +1,52 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -739,7 +761,7 @@
+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
+{
+#ifdef CONFIG_GRKERNSEC_SYSCTL
-+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
+ return -EACCES;
+ }
+#endif
@@ -781,10 +803,10 @@
+ { .ctl_name = 0 }
+};
+#endif
-diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
---- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,123 @@
+diff -urNp linux-2.6.27.4/grsecurity/Kconfig linux-2.6.27.4/grsecurity/Kconfig
+--- linux-2.6.27.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/Kconfig 2008-10-25 12:03:07.000000000 -0400
+@@ -0,0 +1,128 @@
+#
+# grecurity configuration
+#
@@ -868,19 +890,11 @@
+ option is enabled, a sysctl option with name "fifo_restrictions" is
+ created.
+
-+config GRKERNSEC_PROC_IPADDR
-+ bool "/proc/<pid>/ipaddr support"
-+ help
-+ If you say Y here, a new entry will be added to each /proc/<pid>
-+ directory that contains the IP address of the person using the task.
-+ The IP is carried across local TCP and AF_UNIX stream sockets.
-+ This information can be useful for IDS/IPSes to perform remote response
-+ to a local attack. The entry is readable by only the owner of the
-+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
-+ the RBAC system), and thus does not create privacy concerns.
-+
+endmenu
+
++menu "Sysctl support"
++depends on GRKERNSEC && SYSCTL
++
+config GRKERNSEC_SYSCTL
+ bool "Sysctl support"
+ help
@@ -908,9 +922,22 @@
+ the sysctl entries.
+
+endmenu
-diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile
---- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200
++
++config GRKERNSEC_PROC_IPADDR
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
++
++endmenu
+diff -urNp linux-2.6.27.4/grsecurity/Makefile linux-2.6.27.4/grsecurity/Makefile
+--- linux-2.6.27.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/Makefile 2008-10-25 12:03:07.000000000 -0400
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-vs-minimal.patch?r1=1.1.2.8.2.10&r2=1.1.2.8.2.11&f=u
More information about the pld-cvs-commit
mailing list