SOURCES (Titanium): kernel-desktop-grsec-minimal.patch - updated for .29
shadzik
shadzik at pld-linux.org
Sun Mar 29 22:27:28 CEST 2009
Author: shadzik Date: Sun Mar 29 20:27:28 2009 GMT
Module: SOURCES Tag: Titanium
---- Log message:
- updated for .29
---- Files affected:
SOURCES:
kernel-desktop-grsec-minimal.patch (1.8 -> 1.8.4.1)
---- Diffs:
================================================================
Index: SOURCES/kernel-desktop-grsec-minimal.patch
diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8 SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1
--- SOURCES/kernel-desktop-grsec-minimal.patch:1.8 Sat Nov 18 02:19:32 2006
+++ SOURCES/kernel-desktop-grsec-minimal.patch Sun Mar 29 22:27:22 2009
@@ -1,28 +1,7 @@
---- linux-2.6.18.orig/Makefile 2006-11-18 01:09:45.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/Makefile 2006-11-18 01:11:02.000000000 +0000
-@@ -552,7 +552,7 @@
-
-
- ifeq ($(KBUILD_EXTMOD),)
--core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
-+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
-
- vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
- $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
---- linux-2.6.18.orig/arch/sparc/Makefile 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/arch/sparc/Makefile 2006-11-18 01:11:02.000000000 +0000
-@@ -34,7 +34,7 @@
- # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
- INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
- CORE_Y := $(core-y)
--CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
-+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
- CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
- DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
- NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
---- linux-2.6.18.orig/drivers/char/keyboard.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/drivers/char/keyboard.c 2006-11-18 01:11:02.000000000 +0000
-@@ -618,6 +618,16 @@
+diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
+--- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200
++++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200
+@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
@@ -36,30 +15,33 @@
+ }
+#endif
+
- fn_handler[value](vc, regs);
+ fn_handler[value](vc);
}
---- linux-2.6.18.orig/drivers/pci/proc.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/drivers/pci/proc.c 2006-11-18 01:11:02.000000000 +0000
-@@ -467,7 +467,15 @@
+diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
+--- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200
++++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
+@@ -472,7 +472,16 @@ static const struct file_operations proc
+ static int __init pci_proc_init(void)
{
- struct proc_dir_entry *entry;
struct pci_dev *dev = NULL;
++
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
- proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
+ proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
+#endif
- entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
- if (entry)
- entry->proc_fops = &proc_bus_pci_dev_operations;
---- linux-2.6.18.orig/fs/Kconfig 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/Kconfig 2006-11-18 01:11:02.000000000 +0000
-@@ -817,7 +817,7 @@
+ proc_create("devices", 0, proc_bus_pci_dir,
+ &proc_bus_pci_dev_operations);
+ proc_initialized = 1;
+diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
+--- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200
+@@ -926,12 +926,12 @@ config PROC_FS
config PROC_KCORE
bool "/proc/kcore support" if !ARM
@@ -68,277 +50,31 @@
config PROC_VMCORE
bool "/proc/vmcore support (EXPERIMENTAL)"
---- linux-2.6.18.orig/fs/namei.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/namei.c 2006-11-18 01:11:02.000000000 +0000
-@@ -32,6 +32,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
-+#include <linux/grsecurity.h>
- #include <asm/namei.h>
- #include <asm/uaccess.h>
+- depends on PROC_FS && CRASH_DUMP
+- default y
++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++ default n
+ help
+ Exports the dump image of crashed kernel in ELF format.
+
+diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
+--- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
+@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
-@@ -618,6 +619,13 @@
- err = security_inode_follow_link(path->dentry, nd);
- if (err)
- goto loop;
-+
-+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
-+ path->dentry->d_inode, path->dentry, nd->mnt)) {
-+ err = -EACCES;
-+ goto loop;
-+ }
-+
- current->link_count++;
- current->total_link_count++;
- nd->depth++;
-@@ -1665,6 +1673,13 @@
- /*
- * It already exists.
- */
-+
-+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
-+ mutex_unlock(&dir->d_inode->i_mutex);
-+ error = -EACCES;
-+ goto exit_dput;
-+ }
-+
- mutex_unlock(&dir->d_inode->i_mutex);
- audit_inode_update(path.dentry->d_inode);
-
-@@ -1720,6 +1735,13 @@
- error = security_inode_follow_link(path.dentry, nd);
- if (error)
- goto exit_dput;
-+
-+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
-+ path.dentry, nd->mnt)) {
-+ error = -EACCES;
-+ goto exit_dput;
-+ }
-+
- error = __do_follow_link(&path, nd);
- if (error) {
- /* Does someone understand code flow here? Or it is only
-@@ -2281,7 +2303,14 @@
- new_dentry = lookup_create(&nd, 0);
- error = PTR_ERR(new_dentry);
- if (!IS_ERR(new_dentry)) {
-- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
-+ error = 0;
-+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
-+ old_nd.dentry->d_inode,
-+ old_nd.dentry->d_inode->i_mode, to))
-+ error = -EPERM;
-+ if (!error)
-+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
-+ new_dentry);
- dput(new_dentry);
- }
- mutex_unlock(&nd.dentry->d_inode->i_mutex);
---- linux-2.6.18.orig/fs/proc/array.c 2006-11-18 01:09:47.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/array.c 2006-11-18 01:11:02.000000000 +0000
-@@ -486,3 +486,14 @@
- return sprintf(buffer,"%d %d %d %d %d %d %d\n",
- size, resident, shared, text, lib, data, 0);
+ return 0;
}
+
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++int proc_pid_ipaddr(struct task_struct *task, char *buffer)
+{
-+ int len;
-+
-+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
-+ return len;
++ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+}
+#endif
-+
---- linux-2.6.18.orig/fs/proc/base.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/base.c 2006-11-18 01:11:02.000000000 +0000
-@@ -136,6 +136,9 @@
- #ifdef CONFIG_AUDITSYSCALL
- PROC_TGID_LOGINUID,
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ PROC_TGID_IPADDR,
-+#endif
- PROC_TGID_OOM_SCORE,
- PROC_TGID_OOM_ADJUST,
- PROC_TID_INO,
-@@ -220,6 +223,9 @@
- E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
- E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
- E(PROC_TGID_MOUNTSTATS, "mountstats", S_IFREG|S_IRUSR),
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
-+#endif
- #ifdef CONFIG_MMU
- E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO),
- #endif
-@@ -1321,6 +1327,9 @@
- if (task_dumpable(task)) {
- inode->i_uid = task->euid;
- inode->i_gid = task->egid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#endif
- }
- security_task_to_inode(task, inode);
-
-@@ -1353,11 +1362,30 @@
- {
- struct inode *inode = dentry->d_inode;
- struct task_struct *task = get_proc_task(inode);
-- if (task) {
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ struct task_struct *tmp = current;
-+#endif
-+ if (task
-+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (!tmp->uid || (tmp->uid == task->uid)
-+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+ #endif
-+ )
-+ #endif
-+ ) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+ #ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+ #elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+ #endif
- task_dumpable(task)) {
- inode->i_uid = task->euid;
- inode->i_gid = task->egid;
-+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+ #endif
- } else {
- inode->i_uid = 0;
- inode->i_gid = 0;
-@@ -1383,9 +1411,17 @@
- task = pid_task(proc_pid(inode), PIDTYPE_PID);
- if (task) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
- stat->uid = task->euid;
- stat->gid = task->egid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#endif
- }
- }
- rcu_read_unlock();
-@@ -1721,6 +1757,12 @@
- inode->i_fop = &proc_info_file_operations;
- ei->op.proc_read = proc_pid_status;
- break;
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ case PROC_TGID_IPADDR:
-+ inode->i_fop = &proc_info_file_operations;
-+ ei->op.proc_read = proc_pid_ipaddr;
-+ break;
-+#endif
- case PROC_TID_STAT:
- inode->i_fop = &proc_info_file_operations;
- ei->op.proc_read = proc_tid_stat;
-@@ -2061,7 +2103,14 @@
- if (!inode)
- goto out_put_task;
-
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
-+#else
- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- inode->i_op = &proc_tgid_base_inode_operations;
- inode->i_fop = &proc_tgid_base_operations;
- inode->i_flags|=S_IMMUTABLE;
-@@ -2155,12 +2204,27 @@
- static struct task_struct *first_tgid(int tgid, unsigned int nr)
- {
- struct task_struct *pos;
-+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ struct task_struct *tmp = current;
-+ #endif
- rcu_read_lock();
- if (tgid && nr) {
- pos = find_task_by_pid(tgid);
-+ if (pos
-+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (tmp->uid && (pos->uid != tmp->uid)
-+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+ #endif
-+ )
-+ #endif
-+ )
-+ goto not_found;
-+
- if (pos && thread_group_leader(pos))
- goto found;
- }
-+ not_found:
- /* If nr exceeds the number of processes get out quickly */
- pos = NULL;
- if (nr && nr >= nr_processes())
-@@ -2175,6 +2239,16 @@
- pos = NULL;
- goto done;
- }
-+ if (pos
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (tmp->uid && (pos->uid != tmp->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ )
-+#endif
-+ )
-+ nr++;
- }
- found:
- get_task_struct(pos);
-@@ -2212,6 +2286,9 @@
- {
- char buf[PROC_NUMBUF];
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ struct task_struct *tmp = current;
-+#endif
- struct task_struct *task;
- int tgid;
-
-@@ -2234,6 +2311,17 @@
- task = next_tgid(task), filp->f_pos++) {
- int len;
- ino_t ino;
-+
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (tmp->uid && (task->uid != tmp->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ ) {
-+ continue;
-+ }
-+#endif
-+
- tgid = task->pid;
- len = snprintf(buf, sizeof(buf), "%d", tgid);
- ino = fake_ino(tgid, PROC_TGID_INO);
---- linux-2.6.18.orig/fs/proc/inode.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/inode.c 2006-11-18 01:11:02.000000000 +0000
-@@ -166,7 +166,11 @@
+diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
+--- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
+@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
if (de->mode) {
inode->i_mode = de->mode;
inode->i_uid = de->uid;
@@ -348,284 +84,91 @@
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
---- linux-2.6.18.orig/fs/proc/internal.h 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/internal.h 2006-11-18 01:11:02.000000000 +0000
-@@ -36,6 +36,9 @@
- extern int proc_tgid_stat(struct task_struct *, char *);
- extern int proc_pid_status(struct task_struct *, char *);
- extern int proc_pid_statm(struct task_struct *, char *);
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+extern int proc_pid_ipaddr(struct task_struct*,char*);
-+#endif
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
+--- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100
+@@ -23,7 +23,15 @@
- extern struct file_operations proc_maps_operations;
- extern struct file_operations proc_numa_maps_operations;
---- linux-2.6.18.orig/fs/proc/proc_misc.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/proc_misc.c 2006-11-18 01:11:02.000000000 +0000
-@@ -655,6 +655,10 @@
- void __init proc_misc_init(void)
+ static int __init proc_cmdline_init(void)
{
- struct proc_dir_entry *entry;
-+#ifdef CONFIG_GRKERNSEC_PROC
+- proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
+ int gr_mode = 0;
-+#endif
-+
- static struct {
- char *name;
- int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -670,7 +674,9 @@
- {"stram", stram_read_proc},
- #endif
- {"filesystems", filesystems_read_proc},
-+#ifndef CONFIG_GRKERNSEC_PROC_ADD
- {"cmdline", cmdline_read_proc},
-+#endif
- {"locks", locks_read_proc},
- {"execdomains", execdomains_read_proc},
- {NULL,}
-@@ -678,19 +684,37 @@
- for (p = simple_ones; p->name; p++)
- create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
-
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ gr_mode = S_IRUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ gr_mode = S_IRUSR | S_IRGRP;
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++ proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops);
+#endif
-+
- proc_symlink("mounts", NULL, "self/mounts");
+ return 0;
+ }
+ module_init(proc_cmdline_init);
+--- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100
+@@ -64,7 +64,13 @@
- /* And now for trickier ones */
- entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
- if (entry)
- entry->proc_fops = &proc_kmsg_operations;
-+
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
-+#else
- create_seq_entry("devices", 0, &proc_devinfo_operations);
-+#endif
- create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
- create_seq_entry("partitions", 0, &proc_partitions_operations);
- create_seq_entry("stat", 0, &proc_stat_operations);
- create_seq_entry("interrupts", 0, &proc_interrupts_operations);
- #ifdef CONFIG_SLAB
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
-+#else
- create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
-+#endif
- #ifdef CONFIG_DEBUG_SLAB_LEAK
- create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
- #endif
-@@ -705,7 +729,7 @@
- #ifdef CONFIG_SCHEDSTATS
- create_seq_entry("schedstat", 0, &proc_schedstat_operations);
- #endif
--#ifdef CONFIG_PROC_KCORE
-+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
- proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
- if (proc_root_kcore) {
- proc_root_kcore->proc_fops = &proc_kcore_operations;
---- linux-2.6.18.orig/fs/proc/root.c 2006-09-20 03:42:06.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/fs/proc/root.c 2006-11-18 01:11:02.000000000 +0000
-@@ -52,7 +52,13 @@
- return;
- }
- proc_misc_init();
+ static int __init proc_devices_init(void)
+ {
+- proc_create("devices", 0, NULL, &proc_devinfo_operations);
++ int gr_mode = 0;
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
++ gr_mode = S_IRUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#else
- proc_net = proc_mkdir("net", NULL);
++ gr_mode = S_IRUSR | S_IRGRP;
+#endif
- proc_net_stat = proc_mkdir("net/stat", NULL);
++ proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
+ return 0;
+ }
+ module_init(proc_devices_init);
+--- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100
+@@ -404,10 +404,12 @@
- #ifdef CONFIG_SYSVIPC
-@@ -76,7 +82,15 @@
+ static int __init proc_kcore_init(void)
+ {
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
+ if (proc_root_kcore)
+ proc_root_kcore->size =
+ (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
++#endif
+ return 0;
+ }
+ module_init(proc_kcore_init);
+diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
+--- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
+@@ -139,7 +139,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
- proc_bus = proc_mkdir("bus", NULL);
+ proc_mkdir("bus", NULL);
+#endif
+ proc_sys_init();
+ proc_vx_init();
}
-
- static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
---- linux-2.6.18.orig/grsecurity/Kconfig 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.18.grsec-minimal/grsecurity/Kconfig 2006-11-18 01:11:02.000000000 +0000
-@@ -0,0 +1,135 @@
-+#
-+# grecurity configuration
-+#
-+
-+menu "Grsecurity"
-+
-+config GRKERNSEC
-+ bool "Grsecurity"
-+ select CRYPTO
-+ select CRYPTO_SHA256
-+ help
-+ If you say Y here, you will be able to configure many features
-+ that will enhance the security of your system. It is highly
-+ recommended that you say Y here and read through the help
-+ for each option so that you fully understand the features and
-+ can evaluate their usefulness for your machine.
-+
-+menu "Filesystem Protections"
-+depends on GRKERNSEC
-+
-+config GRKERNSEC_PROC
-+ bool "Proc restrictions"
-+ help
-+ If you say Y here, the permissions of the /proc filesystem
-+ will be altered to enhance system security and privacy. You MUST
-+ choose either a user only restriction or a user and group restriction.
-+ Depending upon the option you choose, you can either restrict users to
-+ see only the processes they themselves run, or choose a group that can
-+ view all processes and files normally restricted to root if you choose
-+ the "restrict to user only" option. NOTE: If you're running identd as
-+ a non-root user, you will have to run it as the group you specify here.
-+
-+config GRKERNSEC_PROC_USER
-+ bool "Restrict /proc to user only"
-+ depends on GRKERNSEC_PROC
-+ help
-+ If you say Y here, non-root users will only be able to view their own
-+ processes, and restricts them from viewing network-related information,
-+ and viewing kernel symbol and module information.
-+
-+config GRKERNSEC_PROC_USERGROUP
-+ bool "Allow special group"
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
-+ help
-+ If you say Y here, you will be able to select a group that will be
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8&r2=1.8.4.1&f=u
More information about the pld-cvs-commit
mailing list